Turkish Personal Data Protection Authority announcement: Processing of personal data during Covid-19 outbreak

The PDPA's public announcement is accessible online here in Turkish.

Highlights

The PDPA, as part of the actions being taken against the Covid-19 pandemic in Turkey, made an announcement on 27 March 2020. Acknowledging that continuity of public health services and safeguarding public health should be the top priority, the PDPA emphasises that increased processing of personal data is inevitable under the current circumstances; therefore reminds the data controllers of their obligations under the Personal Data Protection Law (Law) and its secondary legislation. To ensure thorough compliance with the Law, the PDPA highlights that administrative and technical measures should be taken carefully against any data privacy violations due to data exchange for and during the Covid-19 pandemic. Furthermore, the PDPA advises that any decision taken in this respect should comply with guidelines and instructions of the Ministry of Health and other public healthcare institutions.

As such, the PDPA requires utmost diligence of data controllers over the course of the hardship to avoid any unrecoverable damages to data subjects, and declares that it will be taking into account the current extraordinary conditions due to Covid-19 when reviewing data controllers' legal compliance, on a case-by-case basis.

How to process personal health data of employees during the Covid-19 outbreak

Employees’ health data can be processed upon explicit consent; however, the employees themselves may also disclose their health data to their employers for processing purposes. Occupational physicians engaged by employers, on the other hand, are allowed to process employees’ health data for preventative, protective and informative purposes, if there is no explicit consent by the employees – to the extent required and permitted under laws.

Disclosure requirements (transparency) during the Covid-19 outbreak

Data controllers who process personal data should inform subjects in an understandable and easily accessible manner, providing short, clear and plain language regarding the methods, means and purposes of processing, including terms and conditions of data retention.

Privacy within the context of Covid-19

Data of infected subjects should not be disclosed to any third party without clear and compelling justification.

Data minimization during the Covid-19 outbreak

Data should be processed diligently, only for the sole purpose of preventing the spread of Covid-19 and with a limited extent.

Frequently asked questions

Is a healthcare institution allowed to contact individuals about Covid-19 without prior consent?

In order to combat global pandemics such as Covid-19, governmental authorities can contact individuals without a prior consent necessarily required, as they may need to collect and share personal data. Such communication by the governmental authorities may include phone calls, messages or e-mails.

What safety measures should be taken during the period of agile working during the outbreak?

To mitigate any data privacy violation risks associated with agile working conditions; an employer should (i) take all necessary administrative and technical measures to ensure, at all times, data exchange by online means are realised through secure communication platforms – in particularly, preventing any system deficiency and providing anti-virus programs and keeping security walls up to date; and (ii) inform all employees on data privacy requirements in a diligent fashion.

Nevertheless, it should also be noted that any measures adopted by the employees would not release the data controller from its compliance obligations under the law.

Is an employer allowed to disclose personal data of the infected employee to other employees?

An employer can and should regularly inform and update the employees regarding new/active employee Covid-19 cases and measures taken, without disclosing any personal data of the infected employee(s). However, if an infected employee was/is in contact with other employees, then any potentially exposed employees should particularly be informed, but unless strictly necessary for the purposes of adopting the necessary measures, any details relating to the infected employee should not be disclosed to such risk group. It would be prudent to inform any relevant employees before disclosing their personal data for the purposes of adopting any protective
measures.

Is an employer allowed to request information from all employees or visitors of the workplace as to whether they have visited any countries affected by the Covid-19 outbreak or whether they have had any symptoms of the virus such as fever?

If necessary for the purposes of the employer’s obligation to ensure workplace health and safety, the employer may have just grounds to request information from all the employees or visitors to the workplace, as to whether they have visited any countries affected from the Covid-19 outbreak or whether they have had any symptoms of the virus such as fever. Nevertheless, such request should be justifiable for the purposes of risk assessment requirements, necessary, and in line with the principle of proportionality.

Is an employer allowed to share health data of employees with governmental authorities for public health purposes?

Yes, an employer can share health data of the employees with the governmental authorities for public health purposes, in line with the statutory requirements.

Do the legal deadlines and related obligations provided under the law and secondary legislation remain applicable?

The legal deadlines and related obligations provided under the Law and secondary legislation remain applicable, however, the PDPA will be taking into accounts the extraordinary conditions due to Covid-19 when reviewing data controllers' legal compliance, on a case-by-case basis.