- What changed due to COVID-19?The Data Protection Law still applies to personal data processing activities and data controllers must comply with the general principles of data privacy, such as fairness and proportionality. Data controllers must still have legal grounds for processing personal data based on the type of data or rely on one of the exceptions provided in the legislation.In light of the foregoing, data controllers must bear in mind the general principles of data privacy and their obligations as data controllers in terms of the explanations provided below.Moreover, the Turkish Data Protection Authority has not provided any guidance on the matter yet; thus, the following evaluations are based on literal interpretations of the law and approaches from different jurisdictions, which are explained in the table at the end of this alert.
2. Can the employer process personal information related to the travels/locations of employees/visitors?
Yes. Employers have obligations in connection with occupational health and safety in the workplace. Therefore, employers may process such information without consent based on their legal obligations. Similarly, employers may rely on their legitimate interest as the data controller. In a balance test between the privacy of an employee’s travels and the wellbeing of other employees and continuity of the employer’s business activities, one might argue that such processing does not violate the fundamental rights and freedoms of employees.
In light of the foregoing, employers may track, monitor or collect information on employees’ travels, and process this information for occupational health and safety purposes in the workplace. However, it is important to note that the processing activity and the relevant information must be limited in terms of scope and purposes. Moreover, the employer’s obligation to provide the adequate administrative and technical security measures for such information remains unchanged.
For example, the employer might process the data of the countries or cities employees have visited, but the specific address of their stay or location might be too intrusive or unnecessary.
Similarly, in terms of visitors, the employer may ask them to confirm that they have not been in a risk area or reject their entry into the workplace due to observable symptoms. However, employers may not force visitors to disclose any kind of information about themselves or process their information.
3. Can the employer process personal information about the health status of their employee?
Only through authorized health personnel such as a workplace doctor.
Unless there is explicit consent of the employee or a legislation/regulation expressly ordering the employer to process such information, employers must refrain from collecting or processing health information. If such processing is required, employers must refer to an authorized health personnel such as a workplace doctor.
4. Can the employer collect information about employees’ wellbeing directly or through other employees (such as tracking employees through CCTV for symptoms or requesting employees to report their colleagues through a report line or email if they show signs of symptoms)?
No. This information might still be considered health data, and our explanations above under Q2 would apply. That said, employers may urge employees to consult an authorized health personnel, such as the workplace doctor, or urge employees to warn their colleagues about seeing an authorized health personnel.
5. Can the employer disclose information about an employee to other employees?
Only to a limited extent. Employers must not disclose health information to other employees under any circumstances. The employer needs to have a legitimate and overriding purpose to disclose the information and the scope of information must be limited to what is strictly necessary.
For example, the employer may disclose that an employee is working from home without providing any specifics.
6. Can the employer disclose information about an employee to authorities?
If requested, yes.
The Data Protection Law does not apply to the processing that authorized public institutions conduct within the scope of their preventive, defensive and intelligence activities for national and public security and public order. Considering the scope of COVID-19’s effect on the vital interests of the public, authorized institutions may request employers to undertake certain collection and processing activities and/or disclose certain information about their employees to the authorities. If the authorities make these requests, employers may conduct the relevant processing activities, including the disclosure of personal data, based on their legal obligations as data controllers.
7. Can the employer use questionnaires to collect data?
Although several data protection authorities advise against it, this approach appears to be changing as the pandemic progresses. In Italy, the government, employers and unions agreed on a protocol for companies that are still open, allowing employers to conduct employee temperature checks at the entrances as well as ask them to fill out questionnaires. Germany allows questionnaires to a certain extent (see table below).
For Turkey, one might argue that employers must avoid blanket questionnaires, since currently there appears to be no legal basis for such activity. If needed in specific cases, employers must perform this activity through authorized health personnel such as a workplace doctor.
8. What about data protection and remote working?
Data controllers must not forget that their obligation regarding the security and protection of personal data applies outside the workplace; they also extend to remote working. Therefore, it is recommended that employers remind their employees of the obligations and ways to protect their security, as well as that of the personal data processed by the employer.
9. What is and what is not considered health data?
- Information that someone is infected or tested positive with COVID-19 is health data.
- Body temperature might be considered health data.
- Information that someone has “COVID-19 symptoms” might be considered health data.
- Information that someone is working from home or on sick leave (without specifics) might be considered health data according to the Turkish Data Protection Authority.
- Information that someone is quarantined might be considered health data according to the Turkish Data Protection Authority.
- Information that someone has come from or have been in a risk area is not health data; it is considered personal data.
*Please note that the information herein may not be current or applicable at the time of your reading as authorities may take action as the COVID-19 pandemic progresses and provide additional requirements, obligations and duties for employers, which might override the regular framework of data protection.
Declarations of DPAs from Different Jurisdictions on COVID-19
– the employee has been in a risk area
– in which the employee has been infected or has been in contact with a proven infected person.
– are infected themselves or have been in contact with a proven infected person.