1. Can processing personal data for the purpose of protecting public health within the scope of the struggle and measures taken to prevent the Covid-19 epidemic and its risk be considered as an exception under the Personal Data Protection Law in Turkey? What are the legal reasons for data processing within this scope?
Under Article 28 of the Law on the Protection of Personal Data No. 6698 ("Law No. 6698"), cases that may be exempted from the application of the Law are listed. Accordingly, pursuant to Article 28/1(ç) of the Law No. 6698, the Law does not apply to the data processing activities of public institutions and organizations authorized by law within the scope of preventive, protective and intelligence activities aimed at ensuring national defense, national security, public security, public order or economic security. In this regard, as stated in the public announcement of the Personal Data Protection Authority issued on March 27, 2020, since the current situation threatens public safety and public order, it is possible for the Ministry of Health and public institutions and organizations mentioned in the article to process personal data.
On the other hand, data controllers other than the Ministry of Health and relevant public institutions and organizations may not benefit from this exemption. Moreover, there is no legal basis allowing processing personal data or sensitive personal data (such as health data) for protecting public health or preventing epidemic risks. Since the exceptional rule for the processing of health data (without a need for a consent) is regulated in a very restricted scope under Article 6/3 of Law No. 6698, its application in practice is rather limited.
For this reason, under the Law No. 6698, it will be necessary to obtain the explicit consent of data subjects as regulated in Article 6/2 of the Law No. 6698 in terms of processing of health data. Besides, for personal data that is not considered as health data, data processing conditions within the scope of Article 5/2 of Law No. 6698 (except for explicit consent) may also find application depending on the situation.
2. Can employers process travel history data of its employees or visitors?
In accordance with Article 4 of Occupational Health and Safety Law No. 6331, employers are obliged to provide workplace health and safety.
Therefore, employers need to take some precautions to prevent the Covid-19 outbreak from spreading in the workplace and to protect the health of its employees as well as public.
In this context, many workplaces ask their employees to share information about their recent travels (especially in the last 14 days). Similarly, this information is also requested from visitors to the workplace.
The Personal Data Protection Authority, in its announcement published on 27 March 2020, stated that since employers have legal obligations to protect the health of the employee and provide a safe workplace, there may be reasonable grounds for asking the employees or the visitors to inform the employer as to whether they have visited an area affected by the virus and / or show symptoms of the disease caused by the virus, and that the request of information should have a strong justification based on necessity, proportionality and risk assessment. The Authority also stated that in such a case, certain elements should be taken into consideration such as the business travel of the staff, the presence of people in the workplace with chronic illnesses or who are likely to be more severely affected by the virus and the instructions or guidance of public health authorities.
Travel information of employees or visitors is considered to be personal data under Law No. 6698. For this reason, employers will be considered as data controllers in terms of their data collection and processing activities. Therefore, employers who are data controllers must act in accordance with the relevant articles of the Law No. 6698 when processing the travel history information of the employees or visitors.
Data controllers may process the travel history data of employees without seeking explicit consent as “it is necessary for the data controller in order to fulfill a legal obligation” as stated in Article 5/2(ç) of Law No. 6698. Thereafter, they can take required measures to prevent any risk.
On the other hand, it is important to remind that employers must comply with the general principles set out in Article 4 of Law No. 6698 when processing personal data. In this context, employers must process personal data lawfully, fairly and in a transparent manner, and also to collect and process data for specified, explicit and legitimate purposes and they must ensure that personal data is accurate and adequate and limited to what is necessary in relation to the purpose of collection. The Personal Data Protection Authority, in its announcement issued on 27 March 2020, remarked that the general principles regulated in the Law no. 6698 should be at the core of all personal data processing activities within the scope of combatting COVID-19 and all personal data processing activities should be carried out in accordance with the general principles. Therefore, data controller employers must collect and process the travel data of the employees or visitors in sufficient and necessary dimensions only in order to combat the Covid-19 outbreak and take necessary measures in the workplace and they must not process any personal data more than what is necessary. In this context, it may be considered reasonable to ask for information about which countries the employees and visitors travel to, whereas the request for the specific address in that country exceeds the limit of proportionality.
3. Can employers ask their employees or visitors to the workplace to report whether they show any signs of illness as part of combating the Covid-19 outbreak? Can they request information about the health status of family members or relatives of employees or visitors? In this context, can they measure the fever degrees of employees or visitors at the entrance of the workplace or collect information about these people by using thermal cameras?
Within the scope of the Covid-19 outbreak, data about whether employees or visitors show any signs of illness and whether they have a fever are health data and are accepted as sensitive personal data under Article 6 of Law No. 6698.
In accordance with Article 6/2 of Law No. 6698, sensitive personal data cannot be processed without the explicit consent of the data subject. On the other hand, in accordance with paragraph 3 of the same article, health data can only be processed by persons, authorized institutions and organizations under the obligation to keep secrets, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning, financing and management of health services, without a need of obtaining explicit consent of the data subject.
Although it is accepted that the processing of health data within the scope of combating the Covid-19 epidemic is conducted for the purpose of “protection of public health”, in order to process health data without the need for explicit consent, the data processing must be carried out only by “persons or authorized institutions and organizations under the obligation to keep secrets”. Since employers cannot be considered as individuals or authorized institutions and organizations that have an obligation to keep secrets, it may be a solution for the employers to include the workplace doctor in the process of processing the health data of their visitors or employees. It is necessary to pay attention to the fact that the health data in question is processed only by the workplace doctor without sharing it with the employers. Otherwise, we think that obtaining explicit consent from visitors and employees is the plausible option considering the legal framework of the Law No. 6698.
The announcement dated 27 March 2020 by the Personal Data Protection Authority also states that obtaining the explicit consent of the employee may be preferred as to processing of health data whereas workplace doctors may also process health data under the conditions referred to in the Law other than explicit consent.
4. Do employers need to inform visitors or employees about their personal data processing activities?
One of the most important obligations envisaged by the Law No. 6698 for data controllers is the obligation to inform data subjects about data processing that has been regulated in Article 10.
Data controllers are obliged to provide information to the data subject about their data processing activity, regardless of what processing basis they rely on in terms of processing personal data (in other words, whether they obtain explicit consent from the data subject or other processing conditions that do not require explicit consent). In this context, employers are obliged to inform their employees and visitors as data controllers before performing data processing activities or at the time when personal data are obtained.
5. If employers want to obtain explicit consent from their employees or visitors, but if the employee does not give explicit consent or explicit consent cannot be obtained, can the prevention of entry into the workplace be considered as a situation affecting the validity of explicit consent?
We know that the most important element of explicit consent is “free will – freely given”. In this context, there is a rule that explicit consent cannot be a prerequisite for the provision of a service or cannot be subject to a sanction if not given, as they will affect the validity of explicit consent. Unfortunately, the situations that do not require explicit consent for the processing of health data in Law No. 6698, even in this type of an epidemic, are quite limited. In practice, it is important in order to overcome such problems to inform the relevant people in the most appropriate and correct way and to give information about the sensitivity of the issue. Alternative solutions, such as video interviews, can be offered to prevent entry to the workplace if people do not grant explicit consent. In terms of employees, the employer's obligation to protect workplace health and safety can be explained to the employee again.
On the other hand, collecting data in a way that does not fall in definition of personal data processing within the scope of Law No. 6698 may also facilitate the implementation of measures in practice and data minimizing must be considered at all times.
6. Can public institutions and organizations process health data and other types of personal data?
In accordance with Article 28/1(ç) of the Law No. 6698, the Law does not apply if personal data are processed within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.
Given the purpose of Law No. 6698 and the nature of the situation, it is considered that the COVID-19 outbreak can be considered as a “public safety” and “public order” issue and the measures taken by public institutions and organizations to protect public health within the scope of the COVID-19 outbreak can benefit from the “public safety” and “public order” exception. As stated by the Personal Data Protection Authority in its public announcement issued on 27 March 2020, since the current situation threatens public safety and public order, the Minister of Health along with public institutions and organizations that fall within the scope of the mentioned article may process personal data within the terms of Article 28/1(ç) of the Law no. 6698.
7. Can employers share personal data of their employees with authorized public institutions and organizations?
As stated above, the data processing activities of authorized public institutions and organizations within the scope of preventive, protective and intelligence activities aimed at ensuring public security are exempted from the Law No. 6698. Therefore, employers may need to share personal data of their employees if authorized public institutions and organizations request data from employers to be shared within the framework of these activities.
As per Article 8 of the Law no. 6698, personal data may be transferred with the explicit consent of the relevant person whereas it may be transferred without an explicit consent if one of the conditions envisaged by articles 5/2 and 6/3 is met.
In cases where the personal data requested by authorized public institutions and organizations are not of sensitive personal data such as health data, employers will be able to transmit such personal data to the relevant institutions and organizations within the scope of data processing basis stated in Article 5/Ç of the Law No. 6698.: “It is necessary for the data controller in order to fulfill a legal obligation”. On the other hand, if the requested data are sensitive personal data such as health data, such data can only be shared with persons, authorized institutions and organizations who are under the obligation to keep secrets pursuant to Article 6/3 of Law No. 6698.
The public announcement issued by the Personal Data Protection Authority on March 27, 2020 states that within the frame of provisions in Article 8 of the Law no. 6698 and relevant legislations regarding contagious diseases, the employer may share with the relevant authorities the personal data of those who have an infectious disease subject to notification.
8. Must workplaces that start working from home as part of the measures taken to combat the Covid-19 outbreak take additional security measures to protect personal data?
In accordance with Article 12 of Law No. 6698, data controllers must take all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the illegal processing of personal data, to prevent illegal access to personal data and to ensure the protection of personal data.
There is no change in terms of the obligation in question, not even after the Covid-19 outbreak. Therefore, employers must always take the necessary precautions to comply with this obligation stipulated in the law in order not to encounter any data security violations, even starting to work from home. On the other hand, if necessary, additional technical and administrative measures can be taken to continue technical and administrative measures in the workplace at home; employees who start working from home can be informed or educated in this context.
The Personal Data Protection Authority has also made statements in this direction in its public announcement issued on 27 March 2020 and underlined that in order to minimize the risks that may arise from working remotely, all kinds of measures should be taken especially ensuring that the data traffic between the systems is carried out with secure communication protocols and that it contains no vulnerability and that the anti-virus systems and firewalls are kept up-to-date and employees should be carefully informed of the personal data security.
9. Can employers process location data of their employees within the scope of security measures?
Processing of location data must be evaluated depending on the situation. However, for employers, the processing of this type of personal data will not be compatible with the criteria of proportionality in many cases, especially for the prevention of epidemic risks, it is considered that the processing of this type of data can be held excessive and not compliant with general data processing principles.
10. Is there a change in the legal periods that continue to process in terms of the Personal Data Protection Law?
The Personal Data Protection Authority (DPA) has noted in the public announcements issued on March 23, 2020 and March 27, 2020 that they were aware that different operational practices (remote work, rotating work etc.) were started to be applied within the scope of the measures taken by the data responsible in this extraordinary process, and therefore it was stated that regarding the complaints, notices and data breach notifications submitted within the scope of Law No. 6698, the extraordinary conditions that is currently being faced will be taken into consideration in terms of evaluating the compliance of the data controllers with the legal periods specified in the Law No. 6698. However there is no official decision on suspending time limits etc. so data controller must be always diligent.
11. Can workplaces, shopping malls, banks or public institutions require an HES code query for entering in?
As per Article 28/1(ç) of the Law no. 6698, the Law does not apply to the data processing activities of public institutions and organizations authorized by law within the scope of preventive, protective and intelligence activities aimed at ensuring national defense, national security, public security, public order or economic security. Therefore, in case the HES code query is conducted by public institutions or organizations, it will not fall within the scope of the Law no. 6698.
Regarding workplaces, shopping malls and banks, the consequences that may arise as a result of HES code query requirement in entering thereto should be examined along with whether the information obtained will be recorded. Although shopping malls, banks and other workplaces which are not public institutions or organizations might require an HES code query while welcoming guests on the purpose of complying with the circular of Ministry of Interior or with the decision of the governorship, aforesaid data processing activity should be conducted in accordance with the provisions of the Law no. 6698, particularly those related to processing of health data (informing data subject and obtaining explicit consent) since such data processing activity may require health data processing.
First published by Itechlaw - Open Forum in 30.03.2020.