On March 27, 2020, the Personal Data Protection Authority (“DPA“) issued an announcement on data processing activities during the COVID-19 outbreak in the scope of the Law on Personal Data Protection (“Law“). The DPA provided guidance on the data processing activities of employers and public authorities during the COVID-19 outbreak, referencing the general principles of data processing under the Law. The DPA’s announcement is available online here (in Turkish).
General Principles and Compliance with the Law
The DPA stated that public and private organizations and institutions have been taking numerous measures against COVID-19, and that personal data processing is crucial and inevitable to perform these measures. Accordingly, the DPA referred to the data minimization principle and the general principles of the Law; stated that data processing activities must be in connection with the purpose of processing, be limited, and be proportionate; and emphasized the importance of taking organizational and technical measures to ensure data security.
The DPA noted that employers might obtain employees’ explicit consents for the processing of health data. Given the spreading rate of the virus, employees can also notify their employers that they have contracted or are experiencing symptoms of the virus. The DPA also stated that workplace doctors may process health data without the data subjects’ explicit consents.
With respect to the notice requirement, data controllers must inform data subjects of the data processing activities by providing them with a short, accessible and easy-to-understand notice written in clear and plain language. As per the exemptions under Article 28 of the Law, provisions of the Law do not apply to processing activities carried out by the Ministry of Health and authorized public authorities and institutions for the protection of public health and order.
Frequently Asked Questions
1.Can a health organization contact data subjects in relation to COVID-19 without their prior consent?
Public institutions and organizations may have to collect or share personal data as part of the measures against severe threats to public health. In this respect, the relevant health organizations and institutions may send communications to data subjects in relation to public health through the telephone, text messages or e-mail.
2.What are the security measures for remote working/working from home?
To reduce data security risks during remote working, data controllers must inform their employees of the importance of personal data safety and take all necessary measures. In particular, employers must ensure that data traffic between the systems is carried out with secure communication protocols and contains no vulnerability, and that anti-virus systems and firewalls are kept up-to-date. The DPA also stated that these measures do not remove data controllers’ obligation related to data safety and security under the Law.
3.Can an employer disclose to its employees that a certain colleague/employee is COVID-19 positive?
An employer may inform its personnel about COVID-19 cases in the company. Employers do not have to provide the names of the infected employees and must avoid providing any information that is redundant or unnecessary. In the event that it is mandatory for the employer to disclose the names of the employees infected with COVID-19, the employer must initially notify the infected employees about this disclosure.
The DPA offered a notice example:
“We would like to inform you that a colleague working on the fifth floor of our head office tested positive for COVID-19. We will discover the dates in which this colleague who tested positive for COVID-19 was at the head office, and will identify and inform individuals who may have been in contact with the relevant colleague.”
Announcements made to employees may indicate that there is an employee that is COVID-19 positive and that the employee is working remotely or on leave; however, the employer must not provide specific information that may directly identify the relevant employee, such as the employee’s rank or department.
4. Can an employer request that its personnel or office visitors provide them information about their recent travels or whether they have COVID-19 symptoms, such as fever?
Employers may have reasonable grounds for requesting information from its personnel or visitors about their recent travels and whether they are displaying any symptoms of COVID-19 as part of their obligation to ensure the safety of its employees and to provide a safe working environment. Accordingly, this information request must be necessary, proportionate and justifiable, based on a risk assessment. Data controllers may take into account employees with chronic illnesses or who are vulnerable to the virus, as well as public authorities’ instructions and guidance in this regard.
5.Can employers disclose health information to the authorities for the sake of public health?
In light of Article 8 of the Law and other requirements under the relevant legislation regarding contagious diseases, employers may disclose to the relevant authorities the personal data relating of individuals who have a notifiable contagious disease.
6.Are the legal timelines under the Law and relevant legislation related to responses to data subjects’ requests and the obligations of the data controllers still effective and applicable?
The DPA stated that the legal timelines under the Law and relevant legislation are still effective and these timelines will not be altered. However, the DPA noted that it would factor in the current extraordinary circumstances when assessing the legal timelines for applications or data breach notifications.
Turkey continues to take active steps to combat the COVID-19 pandemic. All data controllers must carry out their data processing activities during the COVID-19 outbreak in accordance with the Law and the guidance of the DPA, and closely follow the DPA’s announcements and explanations in this regard.