Turkey: Assessment Of The Measures Taken For The Prevention Of Covid-19 Outbreak Within The Framework Of The Personal Data Protection Legislation

Question

ASSESSMENT

RELATED PROVISIONS

1. COVID 19: Processing Personal Data Relating to Employees

1.1. Can employers measure their employees' temperature or ask them whether they have the symptoms of the virus to prevent virus outbreak and protect public health?

Yes. Provided that the general principles are respected and a legal basis for processing health data is relied upon, employers can measure their employees' temperature and ask them whether they show symptoms of the virus.

As per the Article 6 of the Law on the Protection of Personal Data, ("KVKK" or the "Law") health data can be processed for the purpose of protecting public health, by persons under a secrecy obligation (e.g. workplace doctor or health care personnel), without seeking explicit consent from data subjects. Accordingly, provided that the employee is informed about the data processing, persons subject to such secrecy obligation can measure the temperature of the employees. If diagnostic temperature measurement is to be carried out by a person under a secrecy obligation, then informing the employee about the processing will suffice. However, if this measurement is to be carried out by any other person, then, in addition to informing, the explicit consent of the employee must be obtained.

If records regarding questions on the health status of the employee is to be stored, mandatory data security measures, which are set forth under the Personal Data Protection Board's ("Board") decision numbered 2018/10, must be taken with regards to the processing of such personal data. It would be appropriate to erase such personal data during the first periodic erasure process, when the reasons for processing such personal data is no longer valid. Records of erasure are required to be retained for three years.

Within the Public Announcement published by the Personal Data Protection Authority ("Authority"), it has been stated that, provided that compliance with the legislation is ensured, such processing activities are to be considered within the scope of employers' efforts to comply with legal obligations concerning the protection of employees' health and providing for a safe workplace.

Articles 4, 5(1), 6(3), 7(1) and 10 of the Law on the Protection of Personal Data

Article 7(3) of the Regulation on Deletion, Destruction or Anonymization of Personal Data

1.2. Can employers ask their employees about the countries they have visited in the past 14 days and/or whether they have been in contact with those who have visited these countries?

Yes. Provided that the general principles are respected and a legal basis for processing personal data is relied upon, employers can ask their employees about the countries they have visited in the past 14 days and whether they have been in contact with those who have visited these countries.

According to Article 4 of the Law, personal data must be relevant with, limited and proportionate to the purposes for which they are processed. In order to comply with such general principle, these questions should be structured as Y/N questions and additional questions which would not constitute a determinant for the final risk evaluation (questions such as with whom the employee was travelling / which cities the employee visited) should not be asked. As per the Article 10 of the Law, employees are required to be informed about the purposes of processing, when personal data is obtained.

If records regarding such queries is to be stored, it would be appropriate to erase such personal data during the first periodic erasure process, when the reasons for processing such personal data is no longer valid. Records of erasure are required to be retained for three years.

Within the Public Announcement published by the Authority, it has been stated that, provided that compliance with the legislation is ensured, such processing activities are to be considered within the scope of employers' efforts to comply with legal obligations concerning the protection of employees' health and providing for a safe workplace.

Article 4, 5(2),(f), 6(3), 7(1) and 10 of the Law on the Protection of Personal Data

Article 7(3) of the Regulation on Deletion, Destruction or Anonymization of Personal Data

1.3. Can employers inform other employees about an employee who tested positive for Covid-19?

Yes, provided that the announcement does not contain any personal data. Other employees can be notified about the issue that an employee was tested positive for Covid-19 within the company, provided that the general principles are respected and the identity of the person carrying the virus is not disclosed.

According to Article 4 of the Law, personal data must be relevant, limited and proportionate to the purposes for which they are processed. In this regard, a balance must be struck between the privacy of the person who was tested positive for Covid-19 and the employer's obligation to provide a healthy and safe working environment for their employees.

As stated in the Public Announcement published by the Authority regarding this subject, it would be appropriate not to disclose the name of the employee who was tested positive for Covid-19 or any information which could identify this employee (such as title, team etc.) to the other employees. It was also stated in the Public Announcement that the employees can be informed about that fact that there is a COVID-19 infected employee and that the employee in question is working from home or on leave. But details such as the employee's company title or team should not be disclosed. In this context, attention should be paid not to disclose any information which may lead to the identification of the person concerned.

Article 4 of the Law on the Protection of Personal Data

1.4. Can thermal cameras be used on company premises?

Yes. Provided that the general principles are respected and a legal basis for processing health data is relied upon, thermal cameras can be used on company premises.

In any case, employers and visitors must be clearly informed on this measure in accordance with Article 10 of the Law, prior to their visit to the company premises. Prior to their visit, visitors must be specifically informed about thermal camera scans that are being carried out in order to protect and safeguard public health, and they might be suggested to conduct their meetings via video conference / telephone.

As per the Article 6 of the Law, health data can be processed for the purpose of protecting public health, by persons under a secrecy obligation (e.g. workplace doctor or health care personnel), without seeking explicit consent from the data subject. In this regard, provided that the person is informed, temperature measurements can be carried out by utilizing thermal cameras by persons under a secrecy obligation. If these scans are to be carried out by any other person, then, in addition to informing, the explicit consent of the related person must be obtained. However, if the related person does not wish give her/his explicit consent, she/he can be asked to conduct its meeting via video conference / telephone.

Articles 4, 5(1), 6(3) and 10 of the Law on the Protection of Personal Data

1.5. Can information regarding a Covid-19 positive employee be disclosed to public institutions and organizations?

Yes. Provided that the general principles are respected and a legal basis for processing health data is relied upon, information regarding a Covid-19 positive employee can be disclosed to public institutions and organizations.

Turkish employment law obliges employers to inform their employees, sub-employees and their employers and other related institutions on matters adversely affecting or having the potential to affect (which can also be considered as a serious and imminent threats), the health and safety in the workplace. Additionally, employers are expected to take protective and preventive measures in this regard, so as to counteract such potential risks.

As per the Article 6 of the Law, health data can be processed for the purpose of protecting public health, by persons under a secrecy obligation (e.g. workplace doctor or health care personnel), without seeking explicit consent from the data subject. In this regard, provided that the person is informed, employee's positive resulted Covid-19 test can be shared with authorized public institutions and organizations, by persons under a secrecy obligation. If this notification is not to be made by a person under a secrecy obligation, then, in addition to informing, the explicit consent of the related person must be obtained.

Within the Public Announcement published by the Authority, it has been stated that employers are allowed to disclose personal data relating to individuals infected with the infectious diseases to competent authorities, provided that they comply with the provisions concerning infectious diseases envisaged under respective laws, and they disclose information which is subject to a notification obligation within the scope of these laws.

Occupational Health and Safety Law No. 6331

Articles 4, 5(1), 6(3), 8, 10 and 28(1),(ç) of the Law on the Protection of Personal Data

2. COVID 19: Processing Personal Data Relating to Visitors and Customers

2.1. Can messages notifying measures taken due to COVID-19 such as reduced working hours or halting of retail sales, can be communicated to customers, without prior consent for commercial communications?

Yes, provided that there is a continuous contractual relationship with the data subject and on the condition that there is no promotional content included within the message. Otherwise, no.

In accordance with the Regulation on Commercial Communications and Commercial Electronic Messages, prior consent of the recipient is not required with regards to notifications in relation to ongoing contractual relations such as subscriptions and memberships. Consequently, it will not be necessary to obtain prior consent from the receiver of the message (the customer) to report changes in working arrangements that may affect an ongoing and continuous commercial relation (such as retail banking relationships or subscription based telecommunications, electricity, natural gas, water etc. services, gym memberships). However, these informative messages shall not include any promotional content.

On the other hand; for the sectors such as retail, automotive, tourism, food, where services are not offered based on an ongoing and continuous customer relationship, it will not be possible to send such notifications without the prior consent of the customer for receiving such commercial messages.

Article 6(2) of the Regulation on Commercial Communications and Commercial Electronic Messages

2.2. Can customers' temperature be measured at the entrances to offices / stores / shops / branches etc.?

Yes, provided that the person performing the measurement is a healthcare professional, or explicit consent of the data subject is obtained.

According to the Law, health data can be processed for the purposes of protecting public health and preventive medicine, by authorized institutions and organizations, and by persons which are under a secrecy obligation, without the explicit consent of the data subject. As long as these data processing purposes are pursued while carrying out such temperature measurements and the persons performing the measurement are healthcare professionals under a secrecy obligation, measurements can be made without obtaining explicit consent from the data subjects.

However, it should be noted that, general principles set forth under the Law must be taken into consideration when processing personal data. For example, conducting health checks at workplaces where customers do not have any direct contact with the employees would contradict the principle of "(data processed) being relevant, limited and proportionate with the purpose of the processing". As another example, failure to erase the results of such measurements following the expiration of health risks would contradict the general principle of "retaining personal data only for the period necessitated by the purpose of processing".

If measurements are not carried out by persons under a secrecy obligation (e.g. healthcare professionals), obtaining explicit consent of the data subjects shall be required.

In any case, it should be ensured that data subjects are informed about the processing of their personal data, prior to commencing such measurements.

Articles 5(1), Article 6(3) of the Law on the Protection of Personal Data

2.3. How a third person trying to communicate with an employee who cannot work due to COVID-19 or a similar health condition, should be informed?

An answer must be given without disclosing any information about the health status of the relevant employee.

It is sufficient to inform third persons trying to reach an employee who cannot work due to his/her health condition by stating that the relevant person is not available / present without disclosing any information on his/her health condition.

This also applies, if the employee has given explicit consent for his/her health data to be processed, since the processing of such data by the company and disclosing such information to third parties are separate data processing activities.

Article 6(3) of the Law on the Protection of Personal Data

2.4. Can companies (e.g. retail companies, companies organizing fairs, hotels) upon a request from an authorized public institution, disclose information about their customers, visitors and employees to public institutions for purposes of protecting public health?

Yes.

In cases where one of the data processing conditions, set forth under Article 5 of the Law is fulfilled, personal data can be transferred without obtaining explicit consent from the data subject. Generally, for the purposes of responding to information and document requests conveyed by authorized public institutions, "being necessary for compliance with legal obligations to which the data controller is subject" condition for processing personal data can be relied upon.

If the requested information includes health data, then, in accordance with Article 6 of the Law, such data can be transferred without obtaining explicit consent from the data subject, only for the purposes of protecting public health, and only by persons under a secrecy obligation (e.g., a workplace doctor or a healthcare professional). However, if the transfer is to be performed by any other person, then the explicit consent of the data subject shall be required. "Appropriate Measures to be Taken for the Processing of Special Categories of Personal Data" determined by the Board in its decision No. 2018/10 are also required be taken.

Articles 6(3), Article 8(2), Article 28(1)(ç) of the Law on the Protection of Personal Data

3. COVID 19: Working from Home – Privacy-Based Issues to be Considered

3.1. It is common for the personnel to work from home during the pandemic. What kind of security measures should be taken during this period?

Necessary measures must be taken to ensure the security of the personal data.

The legislation on the protection of personal data is not an obstacle for working from home. During the pandemic, the personnel can work from home and use their own devices or communication equipment. The related privacy regulations do not prevent this specifically, but necessary administrative and technical measures must be taken to ensure the security of personal data.

In order to minimize the risks that may be caused by working remotely, the necessary measures must be taken. For example, the data should be transferred between the home computer and the company servers via a secure communication protocol. The related up-to-date anti-virus systems and firewalls should be installed on employees' computers and the employees must be carefully informed of the security of personal data.

However, it should be noted that the measures taken by employees do not eliminate the obligation of the data controller to ensure the security of personal data under the Law.

Law on the Protection of Personal Data, Article 12(1)

3.2. Can the personnel process special categories of personal data while working from home? What kind of security measures should be taken to process such data?

It is necessary to act in accordance with the data security measures regarding the processing of special categories of personal data.

It is important that the necessary security measures are taken by the employer company, as the data controller, when employees working from home access to and process special categories of personal from home. Within this context, compliance with the decision of the Board dated 31/01/2018, numbered 2018/10 and titled "Sufficient Measures to be Taken while Processing Special Categories of Personal Data" must be ensured. Particularly, it is important to "use at least two-factor identity validation system" and ensure that the connection is encrypted by VPN or a similar method.

Law on the Protection of Personal Data, Article 12

Decision of the Personal Data Protection Board dated 31/01/2018, numbered 2018/10 and titled "Sufficient Measures to be Taken while Processing Special Categories of Personal Data"

3.3. Can the employer ask employees to use their video cameras at all times while they work from home?

Within the scope of data minimization principle, using video cameras cannot be made mandatory, unless the work specifically requires such an activity.

It is only possible to request / require the video camera to be kept open during the whole working period of working from home if the relevant activity complies with the general principles stated under the article 4 of the Law.

Whether the video call can be mandatory in a specific meeting and similar job interview (not during whole working hours) is closely related to whether the case requires video call. Under certain circumstances, it may be made mandatory to conduct meetings with the video camera, provided that the general principles are respected and conditions for the processing of personal data are complied with. If the job does not require video call, it will be necessary to proceed in line with the preference of the employee.

Law on the Protection of Personal Data, Article 4

3.4. What should be taken into consideration when using a camera while working from home?

Special attention shall be paid to ensure the security of personal data.

In cases where a camera is used by employees while working from home, the privacy of both the employee and the persons at the employee's home (such as family members) must be protected. In this context, privacy enhancing technologies (such as blurring the background during video calls) might be introduced. Additionally, the data collected about the person due to the use of the camera at home (that are not possible collect within a business environment; for example, data regarding the family members of the person) must not be processed.

Law on the Protection of Personal Data, Article 12

3.5. Can the video calls, made from home, be recorded? Can the recorded videos and images be published on the social media?

Within the scope of data minimization principle, videos must not be recorded and made accessible to third parties, unless it is mandatory as a matter of course.

Video calls can only be recorded if it is required as a matter of course. In such a situation, any person who is going to be recorded should be notified explicitly and clearly prior to the recording activity. Although there may be cases where video recording could be mandatory, if these images shall be published at medias open to public (such as social media accounts), relevant persons must be informed, and their explicit consent must be obtained. It should be noted that such a publication might require getting a copyright from the relevant personal within the scope of the Law on Intellectual and Artistic Works.

Law on the Protection of Personal Data, Article 4

4. COVID 19: Relations with the Authority During Outbreak

4.1. Are the periods set out under the Law also valid during the COVID-19 outbreak? Should data controllers still have to answer/fulfill data subjects' demands within 30 days?

Yes, but the Authority has announced that it will take the existing extraordinary conditions into account.

Within the scope of personal data protection legislation, data controllers must perform certain activities in a tight deadline. For example, they must answer/fulfill data subjects' demands within 30 days and inform the Authority of any data breach within 72 hours. These periods are not extended during the COVID-19 outbreak.

However, in the Public Announcement published by the Authority, it has been stated that the extraordinary conditions will be taken into account for each data subject application and data breach notification. Although the Authority did not formally extend these periods, this announcement may be evaluated as a signal that they might act more flexible when taking decisions with regards to data controllers during this period.

Law on the Protection of Personal Data, Article 13(2)