Evaluations on the Corona Virus (Covid-19)-Related Implementations Under the Law on the Protection of Personal Data
As required by the measures taken throughout the Country in the process of combating the corona virus outbreak which is declared as a pandemic by the World Health Organization, many personal data pertaining to individuals, and particularly their health data, are collected, processed, transferred and stored. Therefore, it is necessary to evaluate such personal data processing activities within the scope of Law numbered 6698 on the Protection of Personal Data (the “PDPL”).
In addition to the measures taken by administrative authorities due to the corona virus outbreak, certain extraordinary precautionary implementations have been initiated by companies/employers in order to protect the health of their employees, customers and other business partners at workplaces or in various areas. As part of these additional measures, for example; the employees’, customers’ or other business partners’ temperatures are taken when they enter workplaces or they are expected to fill up certain forms.
Can health data be processed due to the outbreak?
Health data are considered to be included in the special categories of personal data, and they need to be kept under protection and need to be processed meticulously, much more than other personal data. Thus, this matter is emphasized frequently in the decisions and guides of the Personal Data Protection Board and the PDPL. This is because; health data contain, by their nature, the most private information pertaining to an individual. Therefore, it is mandatory to protect privacy by means of the highest security measures.
As is known, health data pertaining to many individuals are processed both in health institutions, at other locations in which healthcare professionals or administrative personnel intervene and at workplaces by employers, due to the corona virus outbreak. Therefore, the lawfulness of processing personal health data in this way becomes a matter of debate.
In spite of the fact that a special legal arrangement has not currently been made by the Personal Data Protection Authority in respect of the corona virus outbreak, it is obvious that personal data should be processed in compliance with the PDPL and other relevant legislative provisions. It is fundamentally essential that the health data, qualified as “Special Categories of Personal Data” in the PDPL, be also processed in compliance with the special provisions determined within this context. In this course, there are matters to be taken into consideration with regard to the personal heath data processed by companies/employers. First of all, in order for the data controller companies/employers and the data processors, assigned to process personal data on behalf of those data controllers, to process the health data included in the special categories of personal data and other personal data pertaining to their employees, customers or business partners; this circumstance should take place in order to ensure the occupational health and safety, which is a legitimate purpose. In this respect, it is obvious that there is a legitimate purpose due to the pandemic disease. However, it is necessary to process personal data in connection with, limited to and in proportion to the processing purposes, namely within the scope of and for the purposes of prevention of the spread of the pandemic disease and for the purposes of treatment of the pandemic disease. Health data or other personal data irrelevant to the pandemic disease situation should not be processed, and excessive processing activities and operations should be avoided.
Besides, it is also of importance to be attentive to take, in the highest level, all the administrative and technical measures necessary for ensuring the security of the personal health data processed in accordance with the PDPL provisions in cases where necessary.
Are there any restrictions in the processing of health data? What are the points to be taken into consideration?
In the PDPL, the conditions for the lawfully processing of personal data and special categories of personal data are regulated; however, the processing of special categories of personal data are subject to more sensitive conditions. Within this context, the processing of special categories of personal data are, as a principle, prohibited in the absence of the individual’s explicit consent. However, there are exceptions to this principle. Accordingly, special categories of personal data, other than those related to health and sexual life, may be processed without the data subject’s explicit consent, in cases prescribed by the law.
However, it is prescribed that the personal data related to health and sexual life may, without the data subject’s explicit consent, be processed by competent institutions and organizations or persons who are under the confidentiality obligation, for the purposes of protecting the public health, conducting preventive medicine, medical diagnosis, treatment and nursing services and for the planning and management of healthcare services and their financing.
Within this framework, it is necessary to comply with the PDPL while processing personal health data at locations and particularly at workplaces. For instance, in spite of the fact that the obtainment of fever measurement data while entering the workplaces has a purpose to protect the health of employees and the public, the existence of the conditions specified in the PDPL should be sought.
In other words, under the current situation, health data may only be processed in case the individual’s explicit consent is obtained, or by competent institutions and organizations or persons who are under the confidentiality obligation for the purposes of protecting the public health, in which case it is not necessary to obtain the individual’s explicit consent. Hence, it is possible for a data controller to consider the collection of all kinds of data, which are related to whether or not the persons at a workplace or at a location have the corona virus disease or its symptoms, as a mandatory measure and in terms of pandemic risk assessment, along with the collection of the fever measurement data as health data. As per the article 6/3 of the PDPL, the personal health data collected in this way are considered to be processed for the purposes of protecting the public health, conducting preventive medicine, medical diagnosis, treatment and nursing services and for the planning and management of healthcare services and their financing. However, health data should be processed via workplace physicians, only by access of workplace physicians. In cases where it is not possible to process such health data through the channel of workplace physicians, the existence of the relevant notification/declaration made directly by the patient, or the obtainment of the relevant explicit consent, if possible, is sought. However, although the PDPL does not contain an express provision in this regard; as per the article 5/2(b) of the PDPL, in cases of emergency, it is also possible to deem, by way interpretation, that personal health data may be processed as a last resort, proportionately, by applying the condition “it is mandatory to process personal data in order to protect the life or physical integrity of an individual or another person where the individual’s consent is not deemed legally valid or the individual is incapable of giving explicit consent because of de facto impossibility”. Other than health data, since the information, such as “which country has the individual recently travelled to” or “the individual’s position at the workplace”, “the departments at the individual’s workplace” and “the persons whom the individual has contacted”, is not included in special categories of personal data; it is not necessary to obtain explicit consent in the processing of such data.
The most significant matters regarding the processing of personal health data are the protection and destruction of these data by ensuring their privacy. In this direction, it is necessary to take into consideration “Adequate Measures to be taken by Data Controllers in the Processing of Special Categories of Personal Data ”, published under the Personal Data Protection Board’s Decision dated 31/01/2018 and numbered 2018/10. Within this context, the primary measures necessary to be followed may be listed as “to determine the policies and procedures for the processing of special categories of personal data”, “to provide regularly data security trainings to the persons taking part in the processing phases of such data”, “to conclude non-disclosure agreements with these persons”, “to determine the these persons’ authorization scope and limitations while they access relevant data”, “to carry out the authorization checks periodically”, “in case of change of duty or reassignment, to revoke the previous authorizations and the return of the documents and inventories delivered to these persons”, etc. In addition, the special categories of personal data should be kept by means of cryptographic methods, and the transaction records should be logged safely and securely. In case the special categories of personal data are kept in physical environment, care should be taken to ensure that the adequate security measures have been taken and that the data are under protection against flood, fire, etc. and that any unauthorized entries and exits are prevented in these environments. Furthermore, the transfers of special categories of personal data should be carried out by ensuring a high security level. In addition to the above, in order to resolve the debates, an announcement entitled “Public Announcement on Protection of Personal Data During the Fight Against Covid-19” was published by the Personal Data Protection Authority on 27.03.2020 in respect of the matters necessary to be taken into consideration in the process of fighting against the corona virus outbreak.  Accordingly, the matters detailed below are clarified.
Sharing Health Data
Health data of individuals in certain areas will need to be shared with public institutions and organizations when necessary, due to the pandemic disease. In such case, as per the article 28/1(ç) of the PDPL:
“The provisions of this Law shall not apply in the following cases: … ç) in case personal data are processed within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations duly authorized and assigned by law to maintain national defense, national security, public security and public order or economic security….” Therefore, it is obvious that the above condition takes place and that the PDPL consequently shall not apply. Within this framework, there is no obstacle and problem for the companies or employers to share with competent public institutions and organizations all kinds of personal data pertaining to the individuals present at workplaces or at various locations. At this point, the determinant criterion is that personal data are transferred limited to the purpose of ensuring public security.
Obligation to Inform
Before processing personal data or at the time of processing at the latest, data controllers are obliged to inform data subjects about their personal data, including the purpose for which they collect these personal data and the storage period of these personal data. Also, in this course, it is necessary for data controllers to fulfil their obligation to inform; the information to be furnished to the individuals by the data controllers should be easily accessible, understandable and made by using a clear and plain language. However, for health data, the explicit consents of the data subjects should be obtained, if this is necessary within the scope of the above-mentioned conditions, after the informing takes place.
Furthermore, due to the severity of the current state of the pandemic disease, we recommend that, while furnishing information, it will be useful to remind that any acts in violation of the measures related to infectious diseases constitute a crime under the article 195 of the Turkish Criminal Code numbered 5237.
In any data processing activity, the data controller has to take the relevant administrative and technical measures necessary for data security. Within this context, the name and surname information pertaining to an employee infected by corona virus should not be shared with third parties, in the absence of a clear and compelling justification.
Erasure, Destruction or Anonymization of Personal Data
The personal data processed should be retained only for the period required by the measures necessary to be taken due to the outbreak, or for the periods prescribed by the legislation if such periods are stipulated by the legislation and then, the personal data should be destroyed in compliance with the Regulation on the Erasure, Destruction or Anonymization of Personal Data.
Questions and their answers contained in the Personal Data Protection Board’s Public Announcement dated 27.03.2020
Frequently asked questions are answered in the announcement entitled “Public Announcement on Protection of Personal Data During the Fight Against Covid-19” published by the Personal Data Protection Authority on 27.03.2020 ; and thus, a number of matters are clarified therein. The following points are cited from the text of the public announcement referred to above:
“Can a healthcare organization contact individuals in relation to COVID-19 without having prior permission?
Governments have obligations to ensure public health and public order in situations that reach the global epidemic dimension, such as the COVID-19 virus. Public institutions and organizations may additionally need to collect and share personal data to combat serious threats to public health.
Within this context, the Personal Data Protection Law does not stop relevant health institutions and organizations from sending public health messages to people, either by phone, text or e-mail.
It is known that more of the employees work from home during the pandemic. What kind of security measures should be taken during this period?
The legislation on protection of personal data is not a barrier to working from home. During the pandemic, employees may work from home and they can use their own device or communication equipment. The legislation on protection of personal data does not prevent that, but necessary technical and organizational measures must be taken to ensure the security of personal data.
In order to minimize the risks that may arise during remote working, all employees related to the topic should be carefully informed in terms of taking all kinds of precautions and about the security of personal data, mainly ensuring that the data traffic between the systems is carried out with secure communication protocols and it does not bear any weaknesses, and anti-virus systems and firewalls are kept up-to-date.
However, it should not be forgotten that the measures to be taken by the employees do not eliminate the responsibility of the data controllers to ensure the security of personal data under the Law.
Can an employer disclose to her/his colleagues/other employees that an employee is infected with the virus?
An employer should keep employees informed about the cases. While providing this information, giving names is not necessary and more information than necessary should not be given. In cases where it is necessary to disclose the name of the infected employee in terms of taking the protective measures, it is beneficial to inform the relevant employees in advance about the issue. Employers have an obligation to ensure the health and safety of their employees, as well as to fulfill their duty of care.
In this context, employers can make their initial announcements as in the following: “We would like to inform you a colleague working on the 5th floor tested positive for COVID-19. After determining those who contacted our infected friend during the dates that he/she was in the building, we will inform them about the situation.”
As in the example above, for the announcements to be made in an institution, organization or a company, other employees should be informed that there is a COVID-19 infected employee and whether he/she is working from home or on leave; however, unless it is mandatory, details that will directly identify who that employee is, such as the internal level or team, should not be shared.
Can an employer request all employees and visitors to provide information about their travels to affected countries and virus symptoms, such as fever?
Employers have a legal obligation to protect employee health and ensure a safe workplace. In this regard, and under the current circumstances, employers will have their justified reasons to request the employees and visitors to provide information on whether they have visited a place affected by the virus and/or they show COVID-19 symptoms.
This information request must have a strong rationale based on necessity and proportionality and risk management. In this case, certain factors should be taken into account, such as the travel of the employees due to their tasks, existence of people with chronic illnesses in the workplace or those who have the possibility of being affected by the virus more severely, and the instructions or guidance from public health officials.
In cases where adequate measures needed to be taken based on the existence of people have recently traveled to a country which is affected by the virus and/or show symptoms related to the disease, there is no harm in bringing certain recommendations to the attention of employees and visitors in terms of personal data protection legislation.
Can an employer share the health data of the employers with authorities for public health purposes?
Within the framework of article 8 of the Law and the provisions of other laws on the contagious diseases, personal data relating to those who carry the contagious diseases can be shared with the relevant authorities by the employer.
During the pandemic, when the organizations are temporarily closed or the capacity of the data controllers to fulfill the requests of the data subjects is restricted due to COVID-19, are the periods determined in the Personal Data Protection Law and relevant legislation within the scope of the obligation to respond to requests of the data subjects and responsibilities to our Institution still valid?
Under the legislation on protection of personal data, in relation to the complaints, notices, and data breach notifications submitted to our Authority, various periods are determined both in the Law and relevant secondary legislation regarding the obligations of data controllers to data subjects and our Authority, and the compliance with these periods by the data controllers is important.
It is not possible to extend the periods determined in the Law and relevant legislation; however, in these extraordinary conditions our country is in, by taking into account that various operational applications (remote working, shift working, etc.) are used with respect to the measures taken by data controllers, for each complaint or data breach notification, the extraordinary conditions we are in will be observed by the Personal Data Protection Board in terms of evaluating the periods that data officers are obliged to comply with.”
In the light of all above-mentioned, in the period of combating the corona virus outbreak, companies or employers should obtain explicit consents of the relevant data subjects after informing them insofar as possible about the data processing operations in compliance with the PDPL in the processes for the processing of the health data pertaining to the individuals at workplaces or various locations, and they should conduct these processes through the channel of workplace physicians if any, and they should keep health data by ensuring high-level security measures, they should share these data with the competent public institutions and organizations when necessary, they should process data only limited to the purposes of prevention of the spread of the pandemic disease and the purposes of treatment of the pandemic disease, they should retain these data until expiration of the required period of time and destroy them at the end of these periods of time. Within this context, it is of importance to carry out personal data processing activities within this framework by taking into consideration the decisions and announcements that will be published by the Personal Data Protection Authority in the period of combating the corona virus outbreak.
 https://www.kvkk.gov.tr/Icerik/6721/KAMUOYU-DUYURUSU-Corona virüsü-ile-Mucadele-Surecinde-Kisisel-Verilerin-Korunmasi-Kanunu-Kapsaminda-Bilinmesi-Gerekenler-
 https://www.kvkk.gov.tr/Icerik/6721/KAMUOYU-DUYURUSU-Corona virüsü-ile-Mucadele-Surecinde-Kisisel-Verilerin-Korunmasi-Kanunu-Kapsaminda-Bilinmesi-