Turkish Data Protection Authority ("DPA") published a guideline1 on March 27, 2020 to explain the rules to be followed during the COVID-19 pandemic and the measures that can be taken to mitigate privacy related risks2.
DPA stressed that, even in these exceptional times, data controllers and data processors must ensure protection of personal data. In that regard, the DPA referred to the general principles and stated that personal data processing should be necessary, based on a certain purpose, limited and proportionate.
Accordingly, the DPA underlined the legal grounds for processing personal and special categories of personal data and stated that health data can either be processed if (i) data subject has given his/her explicit consent, (ii) if data subject has disclosed such health data by himself/herself or (iii) through a workplace doctor per Article 6 of the Law No. 6698 on Protection of Personal Data ("DPL"). DPA further referred to the general exemption rule under Article 28 of DPL and stated that processing activities of Ministry of Health and other public institutions and organizations which are authorized by law would not be subject to DPL, as the current situation concerns public safety and public order.
Below are the DPA's answers to frequently asked questions:
1. Can health institutions contact people regarding COVID-19, without prior permission?
Yes. To ensure public health and public order during global pandemic such as COVID-19, public institutions and organizations may need to collect and disclose personal data. Therefore, relevant public institutions and organizations may send health-related messages via phone, SMS or e-mails.
2. During the coronavirus outbreak, many employees are working from home. What security measures should be taken during remote-working?
During home office, employees can use their own devices and communication equipment. To minimize the risks that may arise due to remote working, secure communication protocols, antivirus systems and firewalls should be implemented and employees should be carefully informed the matter.
3. Can an employer disclose that an employee is infected with COVID-19 to his colleagues?
Employers should inform staff about COVID-19 cases and take protective measures, but should not disclose more information than necessary. If it is necessary to reveal employee's name, the concerned employees should be informed in advance and their dignity and integrity should be protected.
4. Can an employer require all employees or visitors to provide recent travel records to the risky zones or symptoms such as temperature?
Employers are subject to obligations relating to health and safety at the workplace and thus, may request such information. However, such requests should be based on the principles of proportionality and necessity and risk evaluation.
5. Can the employer disclose information about an employee to authorities for public health?
Yes, in accordance with Article 8 of DPL and within the scope of other legislation on pandemic.
6. What about the timelines specified for data controllers?
There is no time extension, however, all applications and notifications submitted to DPA will be evaluated by taking into consideration today's compulsory operational practices (remote work, alternate work etc.) and each application will be observed in light of the extraordinary conditions.
2 Please see our article for further information on data protection law aspects of COVID-19 at https://www.mondaq.com/turkey/Privacy/909312/Roads-To-Digital-Resilience-With-COVID-19-Data-Privacy-Perspective
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.