Can health organizations inform about Covid-19 by contacting people without prior permission?

In accordance with paragraph 6 of article 6 of the Law on Personal Data Protection, public institutions and organizations may need to collect and share personal data to combat serious threats to public health. In line with the Board's statements on this matter, there is no obstacle in terms of the Law for the relevant health institutions and organizations to send messages related to public health via telephone, message or e-mail.

Can the workplace doctor share the health data of the employee with the employer?

The workplace physician should not share the employee's health data with COVID-19 symptoms or whether he has a fever. Instead, the employer can empower the workplace doctor to send the workers to work or rest at home, depending on the situation. In addition, the occupational physician may request that the employee visit a higher health institution for the purpose of protecting public health and, if necessary, inform the authorized public institutions on this issue.

Can employers measure the fever of their employees or visitors?

Employers can measure their fever during their entry into the workplace without the explicit consent of the persons concerned through the workplace physicians and keep the results in the health files kept by the workplace physicians instead of processing them into the personal files of the employees. It is also necessary to make sure that the interventions to be made through the workplace physicians are illuminated by the Lighting Texts prepared for the employees or visitors.

On the other hand, it will be against the Law for employers who are not workplace physicians to raise questions about their health, to measure their fever and to isolate them without any illumination and explicit consent.

Can the employer explain that his employee is showing Covid-19 symptoms?

The employer should not share the information of employees who show Covid-19 symptoms. If absolutely necessary, it can share the number of employees who work from home or reported, without associating it with any health data.

In cases where it is difficult to disclose the name of the employee / employees infected by the virus in order to take protective measures, the relevant employees should be informed in advance.

First of all, an explanation can be made as the example: "we would like to inform you that the COVID-19 test of a friend working on the 1st floor of our Head Office building was positive. Taking into consideration the dates of our friend whose test was positive, we will identify the people who are in contact with our friends and inform them about the situation."

Can the employer request information from its employees or visitors about their recent travels to the affected countries?

Employers have legal obligations to protect employees' health and ensure a safe workplace. In this context and under the current circumstances, justified reasons will be raised to ask employers and employees to inform themselves about whether they have visited a virus-affected area and / or show signs of the disease caused by the virus.

Can the health information of the employees be shared by the employer for public health purposes with the authorities?

Within the framework of Article 8 of the Law and the provisions in other relevant laws, it is possible to share the personal data with relevant authorities related to those contagious diseases which has obligation to notify.

What precautions should the employer take as the data controller, prior the video conference meetings?

During the video conference meetings held by the employers with their employees, company partners, representatives and customers, the data about real persons including voice and video recording, message and documents whose identity can be determined or identified can be stored on the server of the software and / or application company (the data center will be indirectly transferred abroad if the data center is abroad) and may be shared with third parties.

According to article 12 of the Law, data controller;

  1. has to prevent personal data from being processed unlawfully,
  2. has to prevent personal data from being illegally accessed,
  3. has to take all necessary technical and administrative measures to ensure the protection of personal data, to ensure the appropriate level of security.

In this case, the data controller employer has to work with service providers who have taken strong cyber security measures that give confidence in compliance, privacy and transparency. Providing cyber security in terms of the network used by employees participating in video conferencing, taking necessary administrative measures (such as firewall, gateway, antivirus programs), to protect information and documents shared in the video conference meeting in case of a result of unauthorized accesses of cyber attacks.

Another point that should be emphasized here is that the measures to be taken by the employees within the scope of the Law will not eliminate the responsibility of the data controller's in ensuring the security of personal data.

What is the responsibility of cloud service providers for the Law?

According to the "Data Controller and Data Processor's Guide" published by the Personal Data Protection Authority, cloud service providers are qualified as data processors by handling only the data determined by the data controller and not using the data for their own purposes in accordance with the contract with the data controller. Therefore, data controllers and cloud service providers are jointly responsible for taking the necessary measures.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.