Due to Covid-19 danger that we are going through, various measures are implemented regarding the process both in our country and in the world. In this context, processing of many personal data is also in question. Considering that the process is health-related, in terms of the processing of health data, which is among the special data according to Article 6 of Personal Data Protection Law, the Personal Data Protection Institution issued an announcement on 27 March 2020 which is titled as “What You Need to Know Under the Law on the Protection of Personal Data in the Process of Struggling With Covid-19”* and answered some questions regarding the process.
The Institution emphasizes in its published announcement that; even in these situations, the data controllers and the data processors must ensure the security of data subject’s personal data, by stating that providing health services and protecting public health is essential in this process. Within this scope, the personal data and special personal data must be processed in accordance with the law, the measures to be taken must comply with the law and these should not cause irreversible harm in terms of the fundamental rights and freedoms of the persons. Personal data processing activities carried out within the scope of measures taken against COVID-19 virus should be necessary, related with the purpose, limited and measured. The decisions made in this regard should be within the framework of the guidance and/or instructions of public health institutions, particularly the Ministry of Health, or other relevant institutions and organizations. The Institution stated in the announcement that the data controller should carry out the processing under the basic principles (to comply with the rules of law and integrity, to be accurate and up-to-date when necessary, to be processed for specific, clear and legitimate purposes, to be related, limited and measured with the purpose of processing, and to be maintained for the time required by the relevant legislation or for the purpose for which they are processed) regarding the processing of personal data and when the purposes and means of processing personal data disappears, this data should be destroyed, erased or anonymized as specified in the Law.
Although it is stated İn the Article 6 of Personal Data Protection Law that; the data subject’s explicit consent must be obtained in this regard by indicating that; “It is prohibited to process special personal data of the data subject without the explicit consent of this person.”, in the following part of this article, the exceptions to not requiring to seek explicit consent of data subject by saying “Personal data concerning health and sexual life may only be processed for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing by the persons subject to secrecy obligation or competent public institutions and organizations without seeking explicit consent of the data subject.”
In this announcement of the Institution regarding the processing of health data in terms of Covid-19, it is stated as follows: “…it may be preferred to seek the consent of the employee, especially in terms of processing of health data, and considering the spreading speed of the epidemic, also the employee will be able to report disease with his own consent. In other cases besides obtaining explicit consent, the health data being processed by the occupational physicians will be in question. It is natural that not all data processed in this process may not be special personal data (for example, country information where people travelled recently). In these cases, the personal data processing conditions set under the Article 5 of the Law will have to be taken into account. On the other hand, in the subparagraph (ç) of paragraph (1) of Article 28 of the Law, it is regulated that the provisions of this Law shall not be applied if ‘personal data are processed within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations duly authorised and assigned by law to maintain national defence, national security, public security, public order or economic security.’ In this context, since the current situation threatens public security and public order, there is no obstacle for processing of personal data by the Ministry of Health and the public institutions and organizations included by the above article…”
It is stated in terms of the disclosure requirement that; the person who is data subject should be enlightened with a clear, plain, easily accessible, short and understandable language about what the processed data is, for what purposes their data is processed, how long the data will be maintained.
In terms of the protection the data to be processed, necessary administrative and technical measures must be taken by the data controller. The processed data should not be disclosed to any third party without a clear and mandatory justification. “On the other hand, it should not be forgotten that illegal posts about personal data, especially health data, shared on social media accounts and similar channels may constitute a crime within the scope of article 136 of the Turkish Penal Code No. 5237 at the same time.”
The data to be processed should be limited and related to the purpose, the data should not be processed beyond its scope and more than necessary. “The most possible way without less intervention should be preferred to achieve the targeted purpose.”
Within the scope of frequently asked questions; the Institution answered some questions about the process as follows:
1.Can a healthcare provider communicate with people related to COVID-19 without prior permission?
The administrations have obligations to ensure public health and public order in situations that reach the global epidemic dimension such as the COVID-19 virus. Public institutions and organizations may additionally need to collect and share personal data to combat serious threats to public health. In this context, there is no obstacle in terms of the Personal Data Protection Law for the relevant health institutions and organizations sending people messages related to public health by telephone, SMS or e-mail.
2.It is known that most of the personnel of the organizations work from home during the epidemic. What kind of security measures should be taken during this time working from home?
The protection of personal data regulations is not an obstacle to working from home. Personnel can work from home and use their own devices or communication equipment during the epidemic. Legislations on protection of personal data does not prevent this, however, the necessary administrative and technical measures must be taken to ensure the security of personal data. In order to minimize the risks that may be caused by working from home, the employees should be informed carefully in order to take all kinds of precautions and to protect the personal data, especially ensuring that data traffic between the systems is carried out with secure communication protocols and that it does not contain any vulnerability, and that anti-virus system and firewalls are updated. However, it should not be forgotten that the measures to be taken by the employees do not eliminate the responsibility of the data controller to ensure the security of personal data under the Law.
3.Can an employer announce to his colleagues/other employees that an employee is infected by the virus?
The employer should inform his employees about the cases. Calling the names out while giving information is not necessary and excessive information should also not be given. In cases where it is necessary to explain the name of the infected employee/employees it is beneficial to inform the relevant employees in advance about this issue in order to take protective measures. The employer has responsibilities to ensure the health and safety of their employees as well as to fulfil its duty to care. In this context, at first step, it may be possible to make statements such as; “… We would like to inform you that a friend working on the 5th floor of our Headquarters building is tested positive for COVID-19. Considering the dates when our friend who has a positive test was at the building, we will identify the people who were in contact with our friend and inform them about the situation… ” As in the example above, in the announcements to be made within an institution, organization or company, it should be notified to the employees that there is a COVID-19 infected employee, that he is working from home or he is on a leave; however, unless it is mandatory, details that will directly identify who the employee is, such as the internal level or team, should not be shared.
4.Can an employer request information from all staff and visitors in the building about the recent travel to the affected countries and symptoms of virus, such as fever, etc?
Employers have legal obligations to protect employee health and ensure the workplace safety. In this context and in the current circumstances, justified reasons will be raised for the employers to ask employees and visitors to inform them about whether they have visited a virus-affected area and/or show symptoms of the disease caused by the virus. The information request must have a strong cause based on the necessity and proportionality and also based on risk assessment. In this case, certain factors such as the travel of employees, the presence of people with chronic illnesses in the workplace or the possibility of being more severely affected by the virus and the instructions or guidance from public health officials should be taken into account. There is no harm in terms of personal data protection legislation to bring certain recommendations to the attention of employees and visitors if they are asked to take appropriate measures based on the fact that they have recently travelled to a virus-affected area and/or show symptoms of the disease.
5.Can the health information of the employees be shared with the authorities by the employer for public health purposes?
In accordance with the provisions of the Article 8 of the Law and the provisions in other relevant laws on infectious diseases, personal data regarding those carrying contagious disease based on notification may be shared with the relevant authorities by the employer.
6.In cases where the organizations are temporarily closed or the capacity of data controllers to fulfil the demands of those concerned is restricted due to COVID-19 during the epidemic, are the periods determined in accordance with timelines and specified in the Personal Data Protection Law and related legislation still valid within the scope of the responsibilities of replying the applications of people and the obligations to our Institution?
Regarding the complaints, denunciations and data violation notifications submitted to our Institution within the scope of the personal data protection legislation, various periods have been determined in the Law and related sub-regulations in terms of the liabilities of the data controllers against both our Institution and the data subjects and it is important to comply with these periods. It is not in question of extending the legal periods specified in the law and related legislation, however, by taking into consideration the fact that our country is in an extraordinary process and different operational practices (working from home, interleave etc.) are applied by the data controllers within the scope of the measures taken; for each application or data violation notification, the extraordinary conditions that we are in will be considered by the Personal Data Protection Board in terms of the evaluation of the periods that the data controllers are obliged to comply with.