The Personal Data Protection Authority ("PDP Authority") clarified the issues to be considered within the scope of the Law on the Protection of Personal Data No. 6698 ("Law") in the process of combating Covid-19 with the Public Announcement ("Announcement") published on 27.03.2020.

Accordingly, the following issues were highlighted within the scope of the measures taken against COVID-19 virus underlining that data supervisors and data processors should ensure the security of personal data of related people even at exceptional times.

  • Personal data processing activities have to be necessary, linked, limited and measured, and the decisions taken in this regard have to be within the framework of the guidance and instructions of the Ministry of Health and relevant authorities.
  • All personal data processing activities have to be carried out in accordance with the general principles for the processing of personal data in the Law.
  • Personal data has to be processed in accordance with the terms regulated in Article 5 of the Law regarding the processing conditions of personal data and/or Article 6 regarding the processing conditions of personal data of special nature, including health data.
  • In terms of processing personal data of special nature, explicit consent condition may be applied; for the conditions explicit consent cannot be taken, health data should only be processed by workplace physicians.
  • Since the current situation threatens public security and public order, there is no obstacle for processing of personal data by the Ministry of Health, and public institutions and organizations listed under Article 28/1-ç of the Law.
  • Data supervisors shall have fulfilled their obligation to enlighten.
  • In a data processing activity, necessary administrative and technical measures have to be taken to ensure the security of personal data.
  • In terms of data minimization, data processing activities have to be performed in connection with the purpose and in a limited way and excessive personal data processing should be avoided.

PDP Authority has also answered frequently asked questions in the Announcement. Accordingly, it clarified that

  • There is no prevention in terms of the Law for the relevant health institutions and organizations to send messages about public health to people by phone, message or e-mail,
  • During the epidemic, staff can work from home and use their own devices. However, necessary administrative and technical measures have to be taken to ensure the security of personal data,
  • The employer has to inform the staff if an employee has the virus; within this scope, in the announcements to be made within the company, it has to be stated that there is an infected employee; however, unless it is mandatory, details such as the level or team of the employee has not to be shared,
  • Employers must have a strong rationale to request information from employees whether they visit a virus-affected area or show signs of the disease,
  • Health information of the employees may be shared with the relevant authorities for public health purposes by the employer,
  • In cases which the capacity of the data supervisor to fulfill the demands of the persons concerned is restricted due to COVID-19, the legal periods specified in the legislation regarding the complaints, notices and data violation notifications submitted to PDP Authority will not be exceeded. However, in terms of evaluating the legal periods, the extraordinary conditions will be considered by the Personal Data Protection Board.

You may access the full text of the Announcement's Turkish version here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.