Turkey: COVID-19 Pandemic In Workplaces: FAQ On Turkish Data Privacy 2nd Edition

1. LEGAL LANDSCAPE

1. Is there any special exceptions/exemptions issued with respect to data privacy due to COVID-19?

No, the Data Protection Law still applies to personal data processing activities along with secondary regulations, principle decisions, decisions and guidance issued by the Data Protection Authority (the "DPA"). There are no special exceptions or exemptions provided by the legislation or the DPA regarding data processing activities, either related or not related to COVID-19.

Therefore, while implementing measures against COVID-19, data controllers must still comply with the data privacy requirements under Turkish laws in its entirety including the general principles of data privacy, such as fairness, transparency and proportionality. Data controllers must still have legal grounds for processing personal data based on the type of personal data or rely on one of the exceptions provided under the legislation. Although there were certain announcements from the DPA regarding COVID-19, these do not provide any exceptions or exemptions, but rather explain how the existing requirements may apply during the pandemic.

In light of the foregoing, data controllers must bear in mind the general principles of data privacy and their obligations as data controllers in terms of the explanations provided below.

2. Have there been any announcements from the DPA regarding COVID-19?

Yes, the DPA made four announcements in relation to COVID-19.

1. "Public Announcement on COVID-19" of 23 March 2020:

With its first announcement touching base with COVID-19, the DPA has declared that it will take into consideration the extraordinary conditions in Turkey while assessing the periods for data subject requests and data breach notifications that data controllers are obliged to comply with on a case-by-case basis. The English version of the announcement can be accessed here.

2. "Public Announcement" of 27 March 2020:

While acknowledging the necessity of data processing activities due to measures taken against COVID-19, the DPA has reminded the importance of complying with general principles of the data protection regulations and stated that data processing activities must be in accordance with the purposes of processing, must be limited and proportionate, and data minimization principle should not be disregarded. The DPA also emphasized the importance of taking the necessary administrative and technical measures to ensure data security during the outbreak.

The DPA has satisfied employers' curiosity on many questions that came up during the pandemic, such as collection and transfer of health data in workplaces and security measures to be taken due to remote working. The DPA's standing on these issues related to workplaces will be elaborated below separately. The English version of the announcement can be accessed here.

3. "Public Announcement" of 9 April 2020:

4. The DPA explained that data subjects' health, location and contact information might be processed through mobile applications and other mediums with the purpose of detecting infected citizens and crowded areas, mapping the spread of COVID-19, implementing quarantine measures and curfews, and monitoring quarantined citizens in order to prevent the spread of COVID-19. The DPA referred to the exception provided for public institutions and authorities under the data protection regulations. That said, the DPA also emphasized the sensitive nature of the relevant personal data and underlined that the relevant public authorities and organizations must take the necessary technical and administrative measures to ensure data protection, and delete or destroy the data they collect once the processing purposes no longer exist. The English version of the announcement can be accessed here.

4. "Public Announcement on the Extension of Registration Periods for VERBIS" of 23 June 2020:

The DPA extended the deadlines for the VERBIS registration due to COVID-19. The new deadlines for foreign data controllers along with local data controllers that are not exempt from the registration requirement was 30 September 2020. Note that, on October 1st 2020, the DPA has published an announcement acknowledging that there are various data controllers which are under the obligation to register with VERBIS, whereas were unable to complete or have not yet applied for registration until the deadline due to COVID -19 related impossibilities. Accordingly, the DPA will start notifying these data controllers and ask them to fulfill their registration obligation within the remedy periods to be notified by the DPA. 

The new deadline for local data controllers whose main activity includes processing of special categories of personal data; and public institutions and organizations is 31 March 2021. The English version of the announcement can be accessed here.

2. TEMPERATURE CHECKS

1. Can we perform temperature-checks before entering premises without explicit consent?

Yes, to the extent the results are not recorded.

The Data Protection Law and its secondary regulations apply only if personal data is processed through automated means or, if the personal data is part of a filing system, through non-automated means. Accordingly, if the temperature information is not recorded in a way that would allow identification, such temperature checks might not be within the scope of the Data Protection Law.

Data privacy requirements, however, would apply if the results are recorded in way that will allow identification through automated means (e.g. recording thermal screening data along with CCTV footage in the entrance) or non-automated means where data is part of a filing system (e.g. someone checks the temperature of an individual and records the result on a paper list/form along with the name/ID number of that individual).

2. How can we process this data, for how long it can be stored?

If the Data Protection Law applies to the temperature checks per our explanations above, these checks would constitute processing of health data under the Data Protection Law. Therefore, the data controller should perform such processing (i) based on the explicit consent of the relevant individual or (ii) by those under a confidentiality agreement for the purposes under Article 6(3) of the Data Protection Law such as public health and safety (i.e. workplace doctors according to the DPA, please see below).

In terms of option (ii) above, with its announcement of 27 March 2020, the DPA has allowed processing of health data without consent, to the extent this processing complies with Article 6(3) of the Data Protection Law and thus processing is conducted by "workplace doctors for health services". This being said, the Data Protection Law does not expressly require workplace doctors or healthcare professionals to process health data.

Data security: Health data falls within the scope of special categories of personal data under the Data Protection Law. Therefore, data controllers must also implement the additional adequate measures determined by the DPA in its decision of 31 January 2018 with number 2018/10 regarding processing of special categories of personal data. The DPA's decision is accessible in Turkish here.

Disposal: The data controller must dispose of the records pertaining to these screenings, which constitutes health data, once the purposes for which they were collected no longer exist. Furthermore, if the processing is based on explicit consent and the data subject withdraws their consent, the data controller may be obliged to dispose of the relevant data unless another legal ground exists for retention of that data (e.g. legal obligation to retain the relevant data).

3. What if the temperature is above the risk level?

The information that someone's temperature is above the risk level would also constitute health data.

Therefore, if the results of temperature checks are not recorded, the information that someone's temperature is above the risk level should not be recorded as well since such records might constitute processing of health data in a way to trigger application of the Data Protection Law. In this case, it is recommended that the individuals is directed to the closest appropriate health services, which may be the healthcare professionals such as workplace doctors within the institution or an external healthcare institution.

If data controller performs the temperature screening and records the results based on explicit consent of the data subject, data controller may record and use this data within the limits of the explicit consent obtained from relevant data subject.

Similarly, if the data controller would have a healthcare professional (e.g. workplace doctor) perform temperature screening and record the results; such processing should nevertheless comply with the limitations set forth under Article 6(3) of the Data Protection Law and thus should be limited to the purposes of protecting public health.  

4. Is an employer permitted or required to provide COVID-19-related health information to government or health authorities?

The Data Protection Law does not apply to the processing that authorized public institutions conduct within the scope of their preventive, defensive and intelligence activities for national and public security and public order. Considering the scope of COVID-19's effect on the vital interests of the public, authorized institutions may request employers to undertake certain collection and processing activities and/or disclose certain information about their employees to the authorities. Therefore, if public authorities request employers to undertake certain collection and processing activities or disclose their employees' health conditions within the scope of the COVID-19 pandemic, employers can disclose these data based on their legal obligation. DPA has also confirmed in its announcement of 27 March 2020 that public institutions and organizations may have to collect or share personal data as part of the measures against severe threats to public health and may send communications to data subjects in relation to public health through the telephone, text messages or e-mail.

According to DPA's announcement of 27 March 2020, in light of Article 8 of the Data Protection Law and other requirements under the relevant legislation regarding contagious diseases, employers may disclose to the relevant authorities the personal data related to individuals, who has a notifiable contagious disease. Based on the amendment published on the Official Gazette of April 22, 2020, COVID-19 is listed as a "contagious disease" within the scope of the Regulation on Surveillance and Control Principles Concerning Contagious Diseases, which allows the Ministry of Health and other ministries in collaboration with the Ministry of Health to conduct surveillance activities on contagious diseases. Based on this regulation, the authorities may request information from employers regarding their employees for controlling COVID-19.

Employers must also ensure that (i) the employees are adequately informed regarding such disclosure in accordance with the data protection regulations, (ii) the scope of the disclosed information is limited to what is necessary, proportionate and justifiable, (iii) the information is only disclosed to the officials of the responsible and competent authorities, (iv) there are appropriate safeguards for the protection and security of relevant data concerning its collection, processing and subsequent disclosure and (v) the data is destroyed once the legitimate purposes of its retention cease to exist.

From an employment law perspective, if there is an employee who feels unwell or suspects of being infected with COVID-19, the employer must inform the occupational health and safety board in the workplace or the task force (the Ministry of Labor requires establishment of such a task force, which will, among others, take the necessary actions in relation to the precautions to be taken in the workplace with respect to COVID-19). The respective employee needs to wear a mask and visit the workplace doctor. After the medical check by the workplace doctor, in case the employee is still suspected of being infected with COVID-19, he/she must be isolated from the other employees, and the employer must contact the relevant health authorities for them to pick up the employee and take him/her to a hospital. Other employees, with whom the infected employee has had contact, must be identified as well. The employer must contact the health authorities (the hotline of the Ministry of Health, Alo 184 or 122) as soon possible and follow their recommendations with respect to these individuals.

COVID-19 positive employees must be treated as "sick employees", i.e. be notified as temporarily disable (geçici iş göremezlik), to the Social Security Institution.

5. Can the employer disclose information about an employee to other employees?

Only to a limited extent.

As specified by the DPA in its announcement of 27 March 2020, employers may inform their personnel about COVID-19 cases within the company. Employers do not have to provide the names of the infected employees and must avoid providing any information that is redundant or unnecessary. In the event that it is mandatory for the employer to disclose the names of the employees infected with COVID-19, the employer must initially notify the infected employees about this disclosure.

Within its announcement, the DPA has offered following wording for such disclosure as an example;

"We would like to inform you that a colleague working on the fifth floor of our head office tested positive for COVID-19. We will discover the dates in which this colleague who tested positive for COVID-19 was at the head office, and will identify and inform individuals who may have been in contact with the relevant colleague."

As is seen in the example wording, according to the DPA, employers should refrain from giving excessive information in a way to reveal infected employees' identity, such as their internal level or team.

3. COVID TESTS

1. Can the employer require that employees take COVID-19 tests and process results of such tests?

The tests and subsequent processing of results would constitute processing of health data, which is allowed only if (i) a healthcare professional performs the tests and the subsequent processing of test results limited to the purposes of public health and safety; or (ii) the data subject has given explicit consent to such processing.

When considering workplace testing and health data, employers should rely on explicit consent, if they are willing to obtain and record results of COVID-19 tests. To the extent these results will be obtained and recorded merely by healthcare professionals, without being by no means disclosed to employers or any other employees within the organization (e.g. human resources manager), employers can rely on Article 6(3) of the Data Protection Law, which allows processing of health data without seeking explicit consent from the data subject. In any case, it is important to take measures to prevent any data flow (related to test results) within the organization. Otherwise, the legal basis under Article 6 (3) for such processing would no longer be applicable.

Data security: Health data falls within the scope of special categories of personal data under the Data Protection Law. Therefore, data controllers must also implement the additional adequate measures determined by the DPA in its decision of 31 January 2018 with number 2018/10 regarding processing of special categories of personal data. The DPA's decision is accessible in Turkish here.

Disposal: The data controller must dispose of the records pertaining to these screenings, which constitutes health data, once the purposes for which they were collected no longer exist. Furthermore, if the processing is based on explicit consent and the data subject withdraws their consent, the data controller may be obliged to dispose of the relevant data unless another legal ground exists for retention of that data (e.g. legal obligation to retain the relevant data).

Note that, any legal obligation requiring employers to subject their employees to COVID-19 tests (e.g. due to employer's obligations related to workplace health and safety), would not give employers the right to bypass their foregoing obligations arisen out of the Data Protection Law.

2. Can an employer appoint a healthcare professional to carry out the testing?

Yes.

As explained above, employers may rely on Article 6(3) of the Data Protection Law, which allows processing of health data without consent, if they appoint a healthcare professional to carry out the testing.

4. REMOTE WORKING

1. What about data protection and remote working?

Data controllers must not forget that their obligation regarding the security and protection of personal data applies also outside the workplace and they extend to remote working as well. Therefore, it is recommended that employers remind their employees of the obligations and ways to protect security of their personal data, as well as that of the personal data they are processing for their employer.

2. What can we do about the increased exposure to data security risks?

It is recommended that employers  (i) update their existing information and data security policies and procedures as well as any guidance on device security, (ii) update data breach / incident response plans and procedures in line with current requirements, (iii) prepare any missing ones to fill the gaps and (iv) circulate these resources to the employees on a periodic basis to ensure awareness and easy access.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.