Personal Data Protection Authority guidance on COVID-19 related data processing activities
2 April 2020 – The Turkish Personal Data Protection Authority (“DPA”) published guidance on 27 March 2020 to address some of the key questions that businesses have been asking regarding their obligations in light of the COVID-19 pandemic.
In light of the DPA guidance, we have put together a summary of issues that businesses should consider below.
1. Can businesses process health data?
Please note that, even during the pandemic period, businesses are obliged to continue to comply with the Law on the Protection of Personal Data (“Law”). Therefore, personal data may only be processed in compliance with article 5 and 6 of the Law.
As per article 6 of the Law, health data may only be processed in the following circumstances:
- If the data subject gives its explicit consent, or
- for the purposes of (i) protection of public health, (ii) preventive medicine, medical diagnosis, treatment and nursing services, (iii) planning, management and financing of health-care services provided that the processing is made by a person, authorised public institution or organisation having a confidentiality obligation.
Accordingly, in the workplace, health data of employees may be processed by workplace doctors or other authorized healthcare personnel with a patient confidentiality obligation. However, processing of personal data must be proportionate and the least amount of data that is practicable should be processed for such purpose.
2. Can businesses carry out health checks on employees or customers?
In terms of employees, the DPA has not made clear whether workplace doctors may undertake a health check. However, according to principles set out under the guidance (please also refer to question 3 and 5), we conclude that businesses are allowed to undertake non-invasive health checks on employees through workplace doctors for the purposes of protection of public health and operation of preventive medicine and medical diagnosis services.
In terms of customers (for example in supermarkets or shopping malls), we believe businesses may only undertake non-invasive health checks such as temperature checks with the explicit consent of the customer. Remote temperature checks where the customer is completely anonymised and data is not processed may be possible.
In addition, the DPA has specifically addressed the following Frequently Asked Questions.
3. May an employer require employees and visitors to share information as to their recent travels to infected countries and COVID-19 symptoms such as body temperature?
Employers would have a valid reason to request information whether their employees and visitors have visited infected countries or have symptoms of COVID-19 virus given their duty to protect the health of employees and secure the workplace. However, such information requests must be proportionate and based on a risk assessment as well as instructions and guidance of public health officers.
4. May an employer disclose that an employee is infected to colleagues/other employees?
The employers should inform other employees of infections that have occurred in the workplace. However, disclosure of the identity of the infected personal must be avoided unless it is inevitable as a result of the measures and informing other employees. Employees should be informed by reference to department and location information to avoid direct naming of employee (e.g. an employee working at 5th floor of the headquarters, a warehouse personnel etc).
5. May an employer share health information about employees with the authorities for public health purposes?
Yes. As per article 8 of the Law, personal data of persons who are infected by COVID-19 may be disclosed to the authorities for the protection of public health.
6. What data security measures should be taken while employees work remotely?
The Law does not prohibit data processing while working from home. However, in such case, relevant administrative and technical measures to protect personal data must be taken accordingly. In order to minimize risks which may arise from working remotely, the following measures as well as any other appropriate measures must be taken:
- Data traffic between systems should pass through secure transfer protocols without any security weakness,
- Antivirus systems and firewalls should be kept updated, and
- Employees should be kept well briefed. However, please note that any measures taken at the personal initiative of the employees would not avoid the liability of the data controller.
7. May a health institution contact individuals without their prior consent?
Yes. Considering that the health institutions have duty to ensure public health and public order, they may require processing of personal data for fighting against the pandemic. Therefore, these health institutions may send messages on public health to individuals through phone call, SMS or e-mail.
8. Is there any amendment to the deadlines for the requirements under the Law?
No. The deadlines have not been postponed. However, for each data subject application and data breach notification, the DPA will consider existing extraordinary circumstances which mean that data controllers may have had to adopt various operational measures reducing the workforce.