During the Covid-19 pandemic, when many companies provide opportunities to their employees to work remotely, hybrid working models are also being considered recently. For many purposes related to occupational health and safety, reduction of infection risks at workplaces and determination of new working conditions, the employers need to collect personal data of their employees such as their PCR/antibodies test results and information about whether they are vaccinated and had Covid-19 before etc. Based on the information collected, the employers need to take required measures. In addition, employees’ HES codes (which are codes designated for each person through a governmental application “Hayat Eve Sığar” to show whether the relevant individual is risky for Covid19 based on records of the Ministry of Health and include information about the relevant individuals’ infection of Covid19 or contact to a Covid19 case if any) are regularly checked by the employers. All of the information is personal data and therefore subject to the personal data protection legislation.
A. The Additional Obligations of Employers for Occupational Health and Safety
Importance of the subject is also emphasized in the circular "Covid-19 Measures in Workplaces" dated 02.02.2021 (the "Circular") of the Ministry of Labor and Social Security (the “Ministry”). According to the Circular, it is noted that employers are obliged to inform their employees about the protective and preventive measures with respect to health and security risks which can be encountered at workplaces. In addition, it is requested from employers to separately inform their employees who are not vaccinated or whose vaccination is not completed yet in writing.
Parallel to measures taken in many sectors and related to various activities, it has been stated that as of 06.09.2021, employers can request from their employees who are not vaccinated to take PCR test once a week and store the records of the relevant test results.
The Circular regulated by the Ministry within Occupational Health and Safety Law has an aim to provide and maintain occupational health and safety and enhance the current situation. The relevant obligations introduced by the Circular should be taken considered generally associated with the other obligations of employers arising from occupational health and safety legislation.
B. Classification of Personal Data Related to Test Results and Vaccination/Infection Status and Conditions to Process These Types of Personal Data
Employees’ personal data regarding vaccination and infection status, test results and HES codes which contains information about the risk status are evaluated as health data in accordance with the Personal Data Protection Law (the “Law”). Accordingly, the relevant data can be processed in accordance with the Law. Health data is considered as a type of personal data of special nature in the scope of the Law and processing of such data is subject to stricter rules.
1. Evaluation According to General Principles of the Law
All personal data, including health data, should be processed in accordance with the general principles regulated in Article 4 of the Law. In this context, only relevant and limited personal data which are required for the processing purpose shall be processed considering the principle of proportionality. The relevant principles introduced by the Law is also considered as principle of data minimization under Turkish legislation. In accordance with these principles, processing of excessive personal data not required to meet the processing purpose or collection of personal data which is not related to any processing purpose would be considered as a processing activity incompliant with the Law even if the relevant data subjects consent to the same. For instance, in case of remote where employees are not expected to meet physically, when the employer requests from its employees for PCR/antibodies test results, it can be a processing activity which is incompliant with the Law unless the employer reasonably justifies the relevant processing.
Employers shall always evaluate personal data collected by them in accordance with Article 4 of the Law and consider connection and proportionality of such data with their purpose of processing. In this context, employers should not process the personal data which are not required for their purposes.
Before the Circular, in the circumstances that vaccination status of employees is asked or PCR test results of employees are requested, it was being suggested to employees to evaluate whether they can take different measures for occupational health safety without collecting such sensitive personal information of their employees. For instance, if the employer is able to provide a remote working opportunity to its employees, then it was being discussed whether requesting for such information may be proportional or not.
Nevertheless, after the Circular of the Ministry regulating the obligations of employers to process such personal data, it can be argued that personal data collected and recorded within the scope of the Circular are compliant with data minimization principle under Article 4 of the Law. In any case, all health data collected by the employers in terms of occupational health safety shall be lawfully and fairly processed, be accurate and up to date when necessary and be stored as long as required for the processing purpose behind.
2. Informed Explicit Consent
Processing of health data is subject to conditions which are more restrictive than the same applicable to other personal data. According to Article 6/3 of the Law, personal data relating to health and sexual life may only be processed, without seeking explicit consent of the data subject, by any person under obligation of secrecy or authorised public institutions and organizations for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning, management, and financing of healthcare services.
Although some scholars and practitioners claim that employers have confidentiality obligation in terms of personal data of their employees, companies do not have kind of a secrecy obligation required by the Law. Confidentiality obligations under occupational health and safety legislation should not be considered as a secrecy obligation in this respect. Companies are not authorized institutions and organizations either.
In principle, employers can enable health data to be processed only by workplace doctor without explicit consent. However, to achieve the above-mentioned purposes regarding occupational health and safety, it may not be enough workplace doctor to obtain information in question. Administrative decisions based on the information collected from employees and sharing of such information with human resources and management may also be required. Therefore, it would be the safest option to request for explicit consent in terms of processing the relevant health data for occupational health and safety purposes. Although explicit consent is received, the companies shall still restrict who can access the relevant data.
Data controllers shall also know that the explicit consent shall be based on privacy notices required to be provided to data subjects in accordance with Article 10 of the Law. Obligation to inform data subjects about processing of their personal data shall be met in accordance with the Turkish Personal Data Protection Authority’s “Communique on Principles and Procedures to be Followed in Fulfilment of the Obligation to Inform”. Accordingly, as data controllers, employers shall have informed their employees of which personal data and health data will be processed for which purposes, to whom personal data can be transferred for which purpose, how they will collect the relevant personal data and what will the legal ground to collect the same and which rights the employees will have in accordance with the Law.
Technical and Administrative Measures Required for Processing of Health Data
The controllers are obliged to take all necessary technical and administrative measures to provide a sufficient level of security in order to prevent unlawful processing of personal data, protect security of personal data and prevent unlawful access to personal data.
Health data, as a sensitive data in terms of the Law, is also subject to Personal Data Protection Board’s resolution dated 31.01.2018 and numbered 2018/10 about “Adequate Measures to Be Taken by Data Controllers Processing Sensitive Personal Data” (the “Resolution") available in Turkey on the link. In this context, data controllers shall have a separate privacy policy and procedures specific for the security of sensitive personal data. The relevant policy and procedures shall be systematic, manageable, and sustainable, and shall include clear rules. The data controllers shall take additional measures such as having separate confidentiality agreements for the personnel who may have access to such data, periodically revisiting and checking access and authorization controls and regularly training the relevant personnel.
The Resolution also regulates administrative and technical requirements for electronic and physical platforms where such personal data is processed, stored and/or accessed as well as issues required to be considered for transfers (including e-mailing) of such personal data.
Evaluation
Employees’ personal data such as vaccination and infection status, test results and HES codes shall be considered as health data. In this context, even though data processing within the scope of the Circular is compliant with Article 4 of the Law, processing the relevant data by any personnel/representative other than workplace doctor and using the relevant data for any matter outside the scope of the workplace doctor’s authority shall require informed explicit consents of the relevant employees for employers. Pursuant to the Law, when the employers process such personal health data based on the Circular but without explicit consent, this may create a sanction risk upon the employers.
On the other hand, there is an ongoing study on amendment of legislation including the Law. In this context, it is also on the agenda to introduce a legal ground to enable sensitive data, including health data, be processed without explicit consent if it is mandatory to fulfil obligations related to labour and social security or social services. Therefore, studies related to legislative amendments should be followed closely.