For further information,
please contact:

Senior Associate

Legal Alerts
29/09/2021 https://www.esin.av.tr/wp-content/themes/esin/images/esin.jpg

COVID-19 Pandemic – FAQ on Turkish Data Privacy and Foreign DPA Views

Legal Alerts
Covid-19
IT & Communications
General
  1. What changed due to COVID-19?The Data Protection Law still applies to personal data processing activities and data controllers must comply with the general principles of data privacy, such as fairness and proportionality. Data controllers must still have legal grounds for processing personal data based on the type of data or rely on one of the exceptions provided in the legislation.In light of the foregoing, data controllers must bear in mind the general principles of data privacy and their obligations as data controllers in terms of the explanations provided below.

    Moreover, the Turkish Data Protection Authority has not provided any guidance on the matter yet; thus, the following evaluations are based on literal interpretations of the law and approaches from different jurisdictions, which are explained in the table at the end of this alert.

    2. Can the employer process personal information related to the travels/locations of employees/visitors?

    Yes. Employers have obligations in connection with occupational health and safety in the workplace. Therefore, employers may process such information without consent based on their legal obligations. Similarly, employers may rely on their legitimate interest as the data controller. In a balance test between the privacy of an employee’s travels and the wellbeing of other employees and continuity of the employer’s business activities, one might argue that such processing does not violate the fundamental rights and freedoms of employees.

    In light of the foregoing, employers may track, monitor or collect information on employees’ travels, and process this information for occupational health and safety purposes in the workplace. However, it is important to note that the processing activity and the relevant information must be limited in terms of scope and purposes. Moreover, the employer’s obligation to provide the adequate administrative and technical security measures for such information remains unchanged.

    For example, the employer might process the data of the countries or cities employees have visited, but the specific address of their stay or location might be too intrusive or unnecessary.

    Similarly, in terms of visitors, the employer may ask them to confirm that they have not been in a risk area or reject their entry into the workplace due to observable symptoms. However, employers may not force visitors to disclose any kind of information about themselves or process their information.

    3. Can the employer process personal information about the health status of their employee?

    Only through authorized health personnel such as a workplace doctor.

    Unless there is explicit consent of the employee or a legislation/regulation expressly ordering the employer to process such information, employers must refrain from collecting or processing health information. If such processing is required, employers must refer to an authorized health personnel such as a workplace doctor.

    4. Can the employer collect information about employees’ wellbeing directly or through other employees (such as tracking employees through CCTV for symptoms or requesting employees to report their colleagues through a report line or email if they show signs of symptoms)?

    No. This information might still be considered health data, and our explanations above under Q2 would apply. That said, employers may urge employees to consult an authorized health personnel, such as the workplace doctor, or urge employees to warn their colleagues about seeing an authorized health personnel.

    5. Can the employer disclose information about an employee to other employees?

    Only to a limited extent. Employers must not disclose health information to other employees under any circumstances. The employer needs to have a legitimate and overriding purpose to disclose the information and the scope of information must be limited to what is strictly necessary.

    For example, the employer may disclose that an employee is working from home without providing any specifics.

    6. Can the employer disclose information about an employee to authorities?

    If requested, yes.

    The Data Protection Law does not apply to the processing that authorized public institutions conduct within the scope of their preventive, defensive and intelligence activities for national and public security and public order. Considering the scope of COVID-19’s effect on the vital interests of the public, authorized institutions may request employers to undertake certain collection and processing activities and/or disclose certain information about their employees to the authorities. If the authorities make these requests, employers may conduct the relevant processing activities, including the disclosure of personal data, based on their legal obligations as data controllers.

    7. Can the employer use questionnaires to collect data?

    Although several data protection authorities advise against it, this approach appears to be changing as the pandemic progresses. In Italy, the government, employers and unions agreed on a protocol for companies that are still open, allowing employers to conduct employee temperature checks at the entrances as well as ask them to fill out questionnaires. Germany allows questionnaires to a certain extent (see table below).

    For Turkey, one might argue that employers must avoid blanket questionnaires, since currently there appears to be no legal basis for such activity. If needed in specific cases, employers must perform this activity through authorized health personnel such as a workplace doctor.

    8. What about data protection and remote working?

    Data controllers must not forget that their obligation regarding the security and protection of personal data applies outside the workplace; they also extend to remote working. Therefore, it is recommended that employers remind their employees of the obligations and ways to protect their security, as well as that of the personal data processed by the employer.

    9. What is and what is not considered health data?

  • Information that someone is infected or tested positive with COVID-19 is health data.
  • Body temperature might be considered health data.
  • Information that someone has “COVID-19 symptoms” might be considered health data.
  • Information that someone is working from home or on sick leave (without specifics) might be considered health data according to the Turkish Data Protection Authority.
  • Information that someone is quarantined might be considered health data according to the Turkish Data Protection Authority.
  • Information that someone has come from or have been in a risk area is not health data; it is considered personal data.

*Please note that the information herein may not be current or applicable at the time of your reading as authorities may take action as the COVID-19 pandemic progresses and provide additional requirements, obligations and duties for employers, which might override the regular framework of data protection.

Declarations of DPAs from Different Jurisdictions on COVID-19

Denmark

  • The employer can process information that is not specific enough to qualify as health data such as:

– the employee has been in a risk area
– the employee is in home quarantine
– the employee is sick (without reason).

  • Under certain circumstances, the employer can disclose that an employee is infected with COVID-19 if strictly necessary and in limited fashion.
France

  • Testing temperature and use of questionnaires is permissible only with specific consent of the employees.
  • Blanket questionnaire not permissible.
Ireland

  • Use of questionnaires is not prohibited; use must rely on a strong justification based on necessity and proportionality and on an assessment of risk.
Italy

  • Administering questionnaires to employees regarding their health status and recent whereabouts should be avoided. This was revised after the pandemic reached a more significant level: permissible without consent.
  • Obligation to inform the employers of any health and safety risks at work they become aware remains unaltered.
Netherlands

  • The employer may call in the occupational health and safety service or company doctor to check for COVID-19. However, the employer is not allowed to check employees’ health.
  • Employer can keep track of where the employees have been on holiday, their temperature, or request that they see the company doctor.
Poland

  • Telecoms may send SMS messages to persons entering Poland to warn them about the COVID-19 situation.
Spain

  • Refers to legal grounds for processing health information and general principles of processing personal data.
  • Refers to Recital 46 of the GDPR, which mentions the “monitoring of epidemics and their spread” and “situations of humanitarian emergencies” as important grounds of public interest (article 6.1 e) and the vital interests of the data subject or other individuals (article 6.1.d).
UK

  • Data protection and electronic communication laws do not stop the government, the NHS or any other health professionals from sending public health messages to people, either by phone, text or email, as these messages are not direct marketing.
  • If the collection of specific health data is needed, data controllers should not collect more than they need and ensure that any data collected is treated with the appropriate safeguards.
  • Acknowledges that processing data subject requests during the pandemic may take more time than usual due to unavailable resources.
Sweden

  • Information that someone is infected is health data.
  •  Information that someone has come from a risk area or that they are quarantined is not health data.
Austria

  • In the context of labor law, the specific legal basis for data processing is article 9(2)(i) of the GDPR (processing for the purpose of health care) and exclusion of health risks at the workplace based on art. 9(2)(b) of the GDPR (processing for the purpose of fulfilling obligations under labor and social law). For the transfer of health data to health authorities, article 9(2)(i) provides a corresponding legal basis (processing for reasons of public interest in the field of public health).
  • For risk prevention purposes, it is also permissible for employers to request and temporarily store the private mobile phone number of employees in order to be able to warn them at short notice about an infection in the company or authority, and informing them not to appear at the workplace.
Germany

  • Collection and processing of personal data (including health data) of employees by the employer in order to prevent or limit the spread of the virus among employees as best as possible. This includes in particular information about cases:

– in which the employee has been infected or has been in contact with a proven infected person.
– in which the employee has stayed in an area classified by the Robert Koch Institute (RKI) as a risk area.

  • Collection and processing of personal data (including health data) from guests and visitors, in particular to determine whether they:

– are infected themselves or have been in contact with a proven infected person.
– stayed in an area classified by the RKI as a risk area.

  • In contrast, the disclosure of personal data from persons who are proven to be infected or suspected of being infected in order to inform their emergency contacts is only lawful if knowing the identity is exceptionally necessary for the emergency contact to take precautionary measures.
  • Conducting temperature checks qualifies as  processing of personal data if the checks are carried out with an electronic thermometer irrespective of whether the result is recorded or not.
  • Questionnaires may be used assuming information is limited to travel within the last three weeks.
  • Questions should be limited to past travel to regions classified as COVID-19 risk areas by the German Robert-Koch-Institute within the past three weeks.
  • Employees/visitors can also be asked if they: (i) have an individual who is confirmed to have COVID-19 living in their household; or (ii) visited an event, which later became known to be a venue in which the COVID-19 disease spread.