Following the measures taken to prevent the spread of the COVID-19 virus epidemic, which is showing its effect all over the world, many data controllers, especially employers, process special categories and many other personal data that are described in the Personal Data Protection Law No. 6698 (“Law”). Accordingly, the Personal Data Protection Authority (“Authority”) mentioned the following points in this process.
Personal Data to be Processed by Employees to Prevent Outbreak
To prevent the spread of the epidemic, personal data to be obtained in line with the measures to be taken should be suitable for the intended purpose and as limited data as possible should be obtained to achieve the goal. If example is given,
“The questions of when the employee went abroad, whether he/she has symptoms in the context of COVID-19 recently, or whether he/she has a chronic illness that may be in the risk group against the virus are measured questions.”
To prevent the epidemic and to reduce the people affected, the process should be carried out by a healthcare professional/workplace doctor.
Announcement of the Infected/Possible Infected Employee to Others
The employer shall protect the health of the employers at the workplace in line with the legislation. In this context, if an example is given within the scope of sharing the personal data of the employers with others,
“If COVID-19 is detected directly or the name of an employee suspected of the suspect is only sufficient to share such information in the workplace if someone is affected by the virus. Sharing the department or place / floor where the person works to identify other people with whom it may be in contact will also be a moderate share in order to prevent the spread of the epidemic. As a result, the aim here is not to protect who is affected by the virus, but to protect public health as a result of determining that it is someone who is affected by the virus. ”
Sharing Personal Data of the Infected/Possible Infected Employee to Public Organizations
While acting in line with the instructions given by both the Ministry of Health and other relevant institutions and organizations to protect public health, one of the exceptions listed in Article 6 of the Law, “… personal data concerning health and sexual life may only be processed for protection of public health …” In line with this, explicit consent is not required for the processing of special categories of personal data. We would like to remind that although explicit consent is not required, as the data controller, the employer should be informed by the employer regarding the data processing process.
Home-Office System as a Measure
The important thing here is to ensure data security by the employer, who is the data controller. If it is explained with a concrete example,
“As a precaution under the Law, with the closing of the USB ports, a common system has been created by the employers within the company, allowing workers to access information or documents related to their business activities from here. In this case, necessary security precautions should be taken to prevent data leakage and manipulation that may occur depending on the intensity of use of the relevant area with working from home.”
The perspective of Personal Data Protection Authority
The institution has clarified the above points, and however that the situation we are in is within the scope of ‘public health, public security’, therefore, paragraph 1 of article 28 of the article titled Ç, It is stated to be within the scope of the subparagraph.
Briefly, the measures taken by the Ministry of Health and other relevant institutions and organizations are exceptional cases where the Law shall not be applied in terms of protecting public health and public safety.