During the fight against COVID-19 pandemic, governments benefit from technological opportunities as well as traditional measures such as social distance and social isolation. In this context, with its public announcement, Personal Data Protection Authority (“Authority”) has determined general principles for tracing methods such as mobile applications that are used to prevent the spread of the pandemic and process personal data such as health, location and contact information of the data subjects.
In this context the Board has stated that;
- It is legally possible to process location data by authorized institutions within the scope of public order and protection of public security, but the security of personal data should be ensured,
- The location data is considered as personal data within the scope of Law on the Protection of Personal Data numbered 6698 (“DP Law”) by emphasizing on the definition in the Regulation on Processing and Protection of Personal Data in the Electronic Communication Sector,
- According to the article 28/1(ç) of DP Law, DP Law is not applicable in the event that personal data is processed within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations duly authorized and assigned to maintain national defense, national security, public security, public order or economic security. Therefore; the Board has stated that in order to eliminate the threat in cases that threaten public order and public safety, such as pandemic disease, data processing activities to be carried out by authorized public institutions and organizations will be evaluated within the scope of this article in order to ensure isolation of people who have been diagnosed with pandemic disease in the period of contagiousness, to identify crowded areas and develop measures in this context will be evaluated within the scope of the article 281/(ç) of DP Law.
- Finally, the Board has stated that although Finally, the Board has stated that although the relevant data processing activity is not considered within the scope of DP Law, the relevant institutions and organizations should take all necessary technical and administrative measures to ensure the security of personal data and delete or destroy such personal data in the event that the reasons for the processing no longer exist in the process of processing of location data by associating them with persons’ health status by considering that, if the relevant data is disclosed to third parties unlawfully, serious damages may arise for the data subjects.
The full text of the Authority’s announcement dated 9 April 2020 is available at this link.