Companies are implementing numerous measures to prevent the spread of Coronavirus (COVID-19), which sometimes require collecting, analysing and sharing additional information about individuals. Indeed, the preventative measures taken by employers, which are under the obligation to ensure the workplace safety and employees’ health, can in some cases contradict with the Turkish Personal Data Protection Law. For instance, some employers are currently requesting their employees and visitors to provide information on whether they have recently visited the countries affected by Coronavirus and whether they have any Coronavirus symptoms. However, this situation raises challenges regarding the protection of the personal data.
Article 5 of Turkish Personal Data Protection Law stipulates that personal data may be processed without obtaining the explicit consent of the data subject, if it is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed; or if it is necessary for compliance with a legal obligation which the controller is subject to.
Employers’ obligation to protect the health and safety of the employees might be deemed within the scope of these exemptions and the employers may be considered exempt from obtaining the explicit consent of the data subject (i.e. employees or third parties, such as visitors) while processing their personal data (except data relating to health) in this respect. However, it is not possible to reach a general conclusion on whether companies can lawfully collect additional information from employees or visitors, which is still a grey area and each case should be carefully and separately evaluated. Employers who wish to be on the safe side of the law should avoid from collecting such data. However, companies who deem that application necessary, they should first determine the necessity of the collection of additional personal data for the purposes of mitigating the risks associated with Coronavirus, by taking into account many factors such as the company’s field of activity, the profile of the employees and the visitors or the like.
Data concerning health is classified as “sensitive personal data” and is subject to an enhanced protection under Turkish Personal Data Protection Law. In principle, it is prohibited to process sensitive personal data without obtaining the explicit consent of the data subject.
According to this law, sensitive personal data relating to health may only be processed without obtaining the explicit consent of the data subject for purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing and only by persons under the obligation of secrecy or authorized institutions and/or organizations.
Similarly, in GDPR, data concerning health is specified as one of the “special categories of personal data” and processing such data is prohibited in principle. However, Article 9 of the GDPR allows processing such data if it is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of EU or member state law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.
The issue of processing special category personal data (such as data relating to health) is not clear in the European Union either. In countries such as Italy, France, Germany, Ireland, England and Spain, the data protection authorities have published guidelines regarding the conditions of processing special category personal data during the Coronavirus outbreak. The Italian Data Protection Authority (Garante per La Protezione Dei Dati Personali) stated that employers cannot oblige employees or visitors to disclose their medical information as to whether they have Coronavirus symptoms or not, information of their closest contacts, or information regarding any other area outside the work environment. It is also stated that the actions for the purposes of preventing the spread of Coronavirus must be carried out by healthcare professionals.
On the other hand, the German Data Protection Authority (LfDI Baden-Württemberg) stated that the employers have a legal obligation to protect the health of their employees and maintain a safe place of work. In this regard, employers have a valid legal basis to process personal data (including data concerning health) to combat the pandemic, so long as the principle of proportionality is preserved. In this respect, the employees and the visitors may be asked whether they (i) are infected or have been in contact with a person who is proven to be infected, or (ii) have been in an area classified as a “high risk” area by the Robert-Koch-Institute during the relevant period.
The Turkish Personal Data Protection Authority has been silent on these issues so far. The Authority may make an announcement or publish a guideline in order to clarify these situations in the forthcoming days.
As a separate note, the data controller or the person who is authorized to process personal data is always obliged to inform the data subjects while processing personal data with regards to the purposes for which personal data will be processed, collected and/or shared, the method of the collection of personal data, and to whom the processed personal data might be transferred.