Covid-19 pandemic has been affecting our country and the world. Employers have implemented a set of measures to protect their employees from this pandemic, generally, prompted their employees to remote work.

Data protection is not a barrier to different types of remote work. However, remote work may cause a set of data breaches.

Employers are at the same time data controllers, according to Law No. 6698 Turkish Data Protection, their obligations are still going on during the remote work period. In this context, all necessary organizational and technical measures will be taken into consideration to ensure data security. It will be benefical to glance at following points.

  1. The employer should check that the devices used in remote working have all the necessary security measures.
  2. As it is stated in "Public Announcement" dated 27.03.2020, published by the Turkish Data Protection Authority, all kinds of measure should be taken to minimize the risks caused by remote work. Within this scope, it is suggested to ensure data traffic between the systems carried out with the secure communication protocol to update firewalls and anti-virus systems.
  3. An employee should obey the privacy policy and take all measures to prevent data acquired by them to be accessed by third parties. In this context, an employee should be informed for data security (but, it should not be forgotten that informing the employee will not remove the obligation of the data controller/employer)
  4. An employee should communicate with service providers which are confirmed by the employer and an official email address. Within this period if it is possible, restriction of system access may be useful.
  5. The adaquate measures stated in the Decision No. 2018/10 of the Turkish Data Protection Authority should be taken, when processing of special categories personal data.
  6. During the remote working period, the employer's non-stop monitoring of the devices used by the employee, tracking with a camera/microphone or recording video/audio may constitute disproportionate interference in the privacy of the employee. At the same time, this type of application may violate the "being relevant, limited and proportionate to the purposes for which data are processed" principle which is stated in Turkish Data Protection Law Article 4.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.