The Personal Data Protection Authority made a public announcement with regards to the Processing of Personal Data within the scope of the fight against COVID-19
In a nutshell:
• It is stated that processing various personal data, including sensitive personal data (e.g. data concerning health), is inevitable, due to the measures being taken against the epidemic.
• The general principles in Personal Data Protection Law no.6698 (“Law no.6698”) are reiterated. It is emphasized that all personal data processing activities within the scope of the fight against the spread of COVID-19 should be carried out by keeping and abiding these principles in mind.
• It is stated that the preventive, protective and informative activities of the public institutions are within the scope of exemptions.
• It is further stated that, since the employers have a legal obligation to protect the health and safety of their employees and to provide a safe workplace, the employers have justified reasons to ask their employees and visitors to provide information as to whether they have recently visited the countries affected by the virus and/or as to whether they have any symptoms of the disease. It is also stated that such request for information should have a strong rationale based on the necessity and proportionality principles and risk assessment.
• It is pointed out that the explicit consent of the employees should be obtained for processing the data relating to health, and that processing personal data relating to health without obtaining the explicit consent of the employees can only be carried out by the occupational physicians, provided that other conditions are met. Therefore, it should be underlined that the companies which do not have to employ an occupational physician, may face difficulties in practice. It is emphasized that in order to process personal data other than the sensitive personal data (e.g. information regarding the countries they have recently visited) without obtaining the explicit consent of the data subject, the personal data processing conditions in Article 5 of the Law no.6698 should be taken into account.
• It is underlined that the employers should inform their personnel about the cases in the workplaces, but the names of individuals who carry the virus should not be disclosed unless it is necessary.
• It is reminded that, within the framework of Article 8 of the Law no.6698 and under the provisions stipulated in other relevant laws on contagious diseases, employers can share the personal data of those carrying the contagious diseases with the health institutions.
• It is emphasized that sharing personal data, especially those health relating data, through social media accounts and similar channels may constitute a crime within the scope of Article 136 of the Turkish Criminal Code No. 5237.
This note is intended for general information purposes only and should not be relied upon as a source of legal advice. Independent legal advice should be sought before taking any action based on information contained within this note for each particular case.