On 28 September 2021, the Turkish Data Protection Authority ("DPA") published an assessment regarding the processing of vaccination information and PCR test results ("Assessment") on its official website (available only in Turkish). Overall, the DPA evaluated the legality of the processing of vaccination information and PCR test results in light of the recent instructions circulated by the Ministry of Internal Affairs and the Ministry of Labor and Social Security's obligating private data controllers to process such information. Albeit short, the Assessment contains crucial guidelines on processing health data as per the mentioned governmental instructions. Below is a summary of the Assessment and the issues arising from the DPA's evaluation.
Categorization of vaccination information and PCR test results
Vaccination information and PCR test result of an identified or identifiable natural person is considered as one of the special categories of personal data (i.e., sensitive personal data) since they reveal health information as per Article 6(1) of the Personal Data Protection Law numbered 6698 ("PDPL"). The DPA confirmed this in its Assessment and explained that vaccination information and PCR rest results shall be processed according to the conditions laid out in Article 6 of PDPL. Although Article 6(2) of PDPL sets forth that processing sensitive personal data is prohibited unless the data subject provides its explicit consent, Article 6(3) brings an exception to this rule stipulating that health data can be processed without the explicit consent of the data subject only by the persons subject to secrecy obligation or by competent public institutions and organizations for limited purposes such as protection of public health or operation of preventive medicine. It is striking that PDPL, significantly deviating from the GDPR1, does not allow processing sensitive personal data necessary to carry out the obligations and exercise specific rights of the controller or the data subject in employment relations. The absence of such exception has caused confusion among the data protection law practitioners since the Ministry of Labor and Social Security recently instructed employers to request PCR test results of unvaccinated employees each week.
COVID-19 Related Issues: How will the health data be processed?
Following the recent government instructions, the DPA aimed to clarify the confusion on processing sensitive personal data within the context of Covid-19 measures. In its Assessment, the DPA initially stated that considering the global impact of Covid-19 on health, social life and the economy, processing vaccination information and PCR test results is essential to maintain public health, safety and public order. The DPA then referred to Article 28(1)(ç), which establishes an exemption to the PDPL's material scope of application. This exemption applies to the processing activities within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations duly authorized and assigned by law to maintain public security and public order. Although the wording of this exemption only cover the processing activities undertaken by the mentioned public institutions and organizations, the DPA extended this exemption to all data controllers. In other words, the DPA considers that sensitive personal data processing activities undertaken by all data controllers towards preventing the spread of Covid-19 fall within the scope of Article 28(1)(ç) of PDPL.Thus, PDPL will not apply to these activities.
Exclusion from the Material Scope: Relief for employers?
The scholars already criticized the absence of an exemption to explicit consent to process sensitive personal data in employment relations and recommended the incorporation of an exemption to PDPL on the processing of sensitive personal data by employers. Nevertheless, according to the PDPL, employers can process sensitive personal data of their employees only when the employee provides explicit consent (although the validity of such consent is debated due to the power imbalance in employment relations). Some suggest that occupational physicians can process employees' sensitive personal data since they are subject to a secrecy obligation, and they act for medical diagnosis, treatment, and nursing services. However, the said solution is not practically feasible as management and HR still might need to obtain employees' health information for organizational or regulatory reasons, and the occupational physician does not act as a data processor or a separate data controller independent from the employer. The Assessment does not shed a light on the practical and legal limitations of Article 6 of PDPL. Rather, pursuant to the Assessment, employers can now process sensitive personal data of employees within the scope of Covid-19 measures since PDPL would not be applicable to such processing activities.
In conclusion, the DPA considers that nothing is preventing data controllers from processing Covid-19 vaccination information and/or PCR test results since these are related to the measures for protecting public order, health and safety. As per the Assessment, data controllers are not bound with PDPL while taking and implementing these measures. That said, the DPA noted in its Assessment that the principle of purpose limitation still applies, and personal data processing activities that fall outside the scope of Article 28(1)(ç) or are incompatible with the purpose of maintaining public safety, would still be subject to PDPL.
Footnote
1. Article 9(2)(b)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
