During the fight against COVID-19 pandemic, in many cases personal data including special kinds of personal data is processed. In this context, the public announcement of the Personal Data Protection Authority (“Authority”), has stated that provision of health services and protection of public health is the fundamental issue during this process. The Authority specifically emphasized that when health data or other personal data are needed to be processed, it is necessary to ensure that data processing activities are carried out in accordance with the Law on Protection of Personal Data numbered 6698 (“DP Law”) by data controllers and data processors and that necessary administrative and technical measures are taken for data security.

In this context the Authority has announced the following in its public announcement;

  • It is essential to follow the key principles regulated under the Article 4 of Law on Processing of Personal Data numbered 6698 (“DP Law”) in all personal data processing activities conducted within the scope of the fight against the COVID-19 pandemic. Personal data should be (i) processed lawfully and fairly, (ii) accurate and where necessary kept up to date, (iii) processed for specified, explicit and legitimate purposes, (iv) relevant, limited and not excessive in relation to the purposes for which they are processed, (v) kept for as long as it is foreseen by relevant legislation or necessary for the purposes of processing.
  • Personal data should be processed within the scope of personal data processing conditions indicated under the Article 5 and Article 6 of DP Law. Besides, it was emphasized that data controllers when processing health data should always bear in mind the Board Decision dated 31/01/2018 and numbered 2018/10 on “The Adequate Measures to Be Implemented When Processing Special Categories of Personal Data”.
  • According to the Article 28/1(ç) of DP Law, DP Law is not applicable in the event that personal data is processed within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations duly authorised and assigned to maintain national defence, national security, public security, public order or economic security. Therefore; it was stated that the Ministry of Health and/or other public authorities and organizations within the scope of the Article 28/1(ç) of DP Law might process personal data without being subject to the DP Law.
  • It has been reminded that data controllers should fulfil their obligation to inform data subjects.
  • It has been stated that all administrative and technical measures should be taken to ensure personal data security, and that the data of the infected persons should not be disclosed to any third party without a clear and mandatory justification.
  • It has been emphasized that the unlawful sharing of personal data in platforms like social media, constitutes a violation of the Article 136 of the Turkish Penal Code.
  • It has been mentioned that data processing activities carried out for the purpose of preventing the spread of COVID-19 outbreak should be complied with the proportionality principle and personal data should not be processed excessively.

Key issues mentioned in the announcement for data controllers are as follows;

  • When the spread rate of the pandemic is considered, employees can report health information with their own consent or data controllers may prefer obtaining employees’ explicit consent.
  • It has been stated that DP Law does not prevent health institutions and organizations to send messages regarding public health through telephone, message or e-mail.
  • It has been mentioned that in order to minimize the risks that may be caused by remote working, all measures should be taken especially the data traffic between systems should be conducted with safe communication protocols, the guarantee of lack of vulnerability of systems and up-to-datedness of anti-virus systems and firewalls should be ensured; besides it has been mentioned that relevant employees should be informed about data security.
  • Due to fact that employers have an obligation to ensure the health and safety of their employees, as well as a duty of care, employers should keep their employees informed about cases in their organisation. Employers should not name individuals and should not provide more information than necessary. In the event that it is necessary to disclose the name of the employee(s) infected by the virus in order to take protective measures, the relevant employees should be informed in advance.
  • Employers are obliged to protect their employees’ health. Therefore; employers could ask employees and visitors to inform them if they have visited an affected region and/or are experiencing any symptoms.
  • Within the framework of the Article 8 of DP Law and other laws related to contagious diseases, personal data regarding those contagious diseases need to be notified and may be shared with the relevant authorities by the employer.

The full text of the Authority’s announcement dated 27 March 2020 is available at this link. (Only available in Turkish)