6 April 2020
As is known, several measures are taken due to coronavirus (COVID-19) outbreak and while taking these measures various personal data, especially sensitive personal data, are being processed. In this regard, the Personal Data Protection Authority (“Authority”), via a public announcement 1 , has explained significant issues regarding the protection of personal data during COVID-19 outbreak.
The Authority underlines that providing health services and protecting public health shall be prioritizedduring this period; however, even now, data controllers and processors are obliged to provide data security to the data subjects. Accordingly, following aspects are underlined by the Authority:
- General principles while processing the personal data: The general principles stipulated under Article 4 of the Law on Personal Data Protection (“Law”) shall be complied with while processing personal data during COVID-19 outbreak as well. These principles are as follows: lawfulness and conformity with rules of bona fide; accuracy and being up to date, where necessary; being processed for specific, explicit and legitimate purposes; being relevant with, limited to and proportionate to the purposes for which they are processed; being retained for the period of time stipulated by relevant legislation or the purpose for which they are processed. Upon disappearance of reasons for processing, personal data shall be erased, destructed or anonymized.
- Compliance with the law: The Authority states that the processing of personal data must be compliant with Articles 5 and 6 of the Law. With regards to the processing sensitive personal data, the employers might choose to obtain explicit consent of the employee; or considering the spreading rate of COVID-19 outbreak, the employees might also notify the employers in case the employee infected with the virus. In addition to these, as per Article 6(3) of the Law, workplace doctors, which have confidentiality obligation, may process health data without the explicit consent of the data subject. It must be noted that, not all of the personal data processed during this period may be sensitive personal data (for example data regarding the country that data subject recently visited); in such case the conditions for processing stipulated under Article 5 of the Law shall be applied. Additionally, since there is a situation threatening the national security and public order, the provisions of the Law shall not be applied for the data processing activities of the Ministry of Health and authorized public authorities and institutions as per Article 28(1)(ç) of the Law.
- Obligation to inform (transparency): The data controller must be transparent regarding the measures taken, including informing about the purpose of data collecting and duration of data storage. Individuals shall be provided with information about the processing of personal data by using a short, easily accessible, understandable, clear and plain language.
- Privacy: Data controllers and processor are obliged to take all necessary technical and administrative measures to provide security of the personal data. Without explicit and compulsory reasoning, the data shall not be disclosed to any third person.
- Data Minimization: The data processing activities aiming to eliminate the spread of COVID-19 shall be carried out in accordance with the purpose of processing and be limited; excessive processing of personal data shall be avoided.
After the abovementioned explanations, the Authority has answered the following questions:
The healthcare organizations have certain obligations to ensure public health and public order in cases of global pandemics such as the current COVID-19 outbreak. In this regard, public institutions and organizations may need to collect and share personal data in order to combat with the severe threats against the public health. Accordingly, the relevant healthcare organizations and institutions are entitled to send messages regarding the public health to data subjects via telephone, text messages and e-mail.
In order to minimize the risks arising from remote working, all administrative and technical measures, in particular carrying out the data traffic between systems through secure communication protocols, ensuring that it does not contain any vulnerability and keeping that the anti-virus systems and firewalls updated, shall be taken, and employees shall be informed regarding the data security. Also, it should be noted that measures taken by the employees in this regard do not remove the obligations of the data controllers on the data security under the Law.
The employers should inform the employees about the cases; however, while informing the employees, the employer shall not provide unnecessary information and the names of the infected employees, if not necessary. In case that it is required to disclose the name of the infected employee/employees, the employer must inform the infected employee in that respect before the disclosure. It should be underlined that the employer has responsibilities for ensuring the health and safety of employees, as well as the duty of care.
In this regard as the first step, the Authority gives the following example for the announcements to be made by the employers: “We would like to inform you that COVID-19 test of a colleague working on the 5th floor of the HQ has been resulted positive. We will further inform the persons who may have contacted the relevant employee upon determining the date during which the infected colleague was in the building…”
Accordingly, in the announcements made within the organization, institution or company, it should be indicated that there is an infected employee and the employee currently, for example, works at home or on leave; however, if not necessary, details which provide the direct identification of the employee, such as the position or the department of the employee, shall not be given.
Employers are legally responsible for protecting the health of the employees and providing a safe workplace. Considering this obligation and the current situation, the employers may probably have reasonable grounds to request information from the employees and visitors as to whether they have recently visited a country affected from the virus and whether they experience symptoms. This information request must have a strong ground which means that it is necessary, proportionate and based on a risk assessment. Accordingly, the travels of the employees, the existence of employees with have chronic illnesses or who may severely be infected with the virus and the instructions and guidance given by the public health authorities shall be taken into account.
Within the framework of Article 8 of the Law and the provisions under other relevant laws regarding infectious diseases, employers are entitled to disclose to the relevant authorities the personal data of those having infectious disease which is subject to notification.
The legal periods stipulated under the Law and relevant legislation are not extended, thus they are still valid; however, the Authority will take into account the current extraordinary circumstances when evaluating the legal periods that the data controllers must comply with, considering the operational implementations (i.e. remote working, working in alternating shifts) within the scope of measures taken.
Ece Güner Toprak
Burçak Kurt Biçer