Following the announcement of the COVID-19 pandemic by the World Health Organization, increasingly restrictive measures to curb the spread of the virus have been taken in Turkey, as in many other countries worldwide. These measures lead to additional personal data processing activities and raise new challenges in terms of compliance with data protection law.

The Turkish Data Protection Authority (the “DPA”) released two announcements on 23 March 2020 and 27 March 2020 regarding the data processing principles to be considered during the fight against the pandemic. These announcements included a set of Frequently Asked Questions and underscored the data security obligations of data controllers and data processors in this context.

It is important to point out that the measures implemented to fight the pandemic do not abolish or suspend the current obligations of data controllers arising from Law no. 6698 on the Protection of Personal Data (the “Law”). Data controllers and data processors must ensure that data processing activities carried out within the scope of these measures remain in compliance with the Law and should take all the necessary administrative and technical measures to protect the data they process from unauthorized access or use.

The DPA’s announcements emphasize that it is crucial for data controllers to pay attention to the following principles when processing personal data, especially health data:

Fundamental principles: Data processing activities within the scope of the measures taken against the pandemic should be implemented in accordance with the fundamental principles of compliance with the law and good faith principles, the obligation to keep data accurate and up-to-date (when necessary), and the obligation only to process personal data for specific, clear, and legitimate purposes relevant, limited, and proportional to such purposes. Personal data should only be stored for the period provided under the law or for the period needed to achieve the data processing purpose. If the reasons for processing no longer exist, the personal data being processed must be deleted, destroyed, or anonymized.

Compliance with law: The conditions for lawful processing of personal data are set forth under Article 5 of the Law, while Article 6 addresses the conditions applicable to special categories of personal data, including health data. Personal data processing activities undertaken within the scope of the fight against the pandemic must remain compliant with these conditions.

If the health data of employees is processed without their explicit consent, the processing must be carried out by the workplace medical doctors, who are subject to a duty of confidentiality. In addition, the measures set forth in Decision no. 2018/10 dated 31 January 2018 of the Turkish Data Protection Board (additional measures to be adopted for special categories of personal data) must be put in place.

Information obligation: Data controllers must fulfil their information obligation during the pandemic as well. The data subjects should, in particular, be informed of how their data will be processed, including the purpose for which their data is collected and the time period for which it will be stored.

Privacy: Administrative and technical measures should be implemented to ensure the security of the personal data processed within the scope of the measures taken against the pandemic. The personal data of persons affected by the disease should not be disclosed to any third party without a clear and mandatory reason. It should also be kept in mind that the illegal posting of personal data, especially health data, on social media accounts and similar platforms constitutes a crime under the Turkish Criminal Code no. 5237.

Data minimization: As with all data processing activities, data processing carried out for the purpose of preventing the spread of the COVID-19 virus should remain consistent with and limited to the purpose of processing. The processing of any data in excess of the necessary data must be avoided.

All measures announced by public authorities and institutions such as the Ministry of Health, the Ministry of Industry and Technology, and the Ministry of Family Affairs, Labour and Social Services should be applied in accordance with the principles set out above. This includes steps such as measuring the fever of employees or obtaining declarations from employees in case of contact with persons who have traveled abroad in the past 14 days or were diagnosed with the disease.

Frequently Asked Questions

What kind of security measures should be taken in the context of remote working?

As the remote working model has become more widespread recently, administrative and technical measures should be taken against the risks that remote working conditions pose to data security. To minimize these risks, it should be ensured that the data traffic between the systems is conducted with secure communication protocols, that there is no vulnerability in the system, that the anti-virus programs and firewalls are up-to-date, and that employee awareness of the security of personal data is increased. Data controllers must keep in mind that the measures taken to fight the pandemic do not abolish or suspend their obligation to ensure the security of personal data arising from the Law.

Can the employer disclose that an employee is carrying the virus to other employees?

The employer has a duty to implement the necessary measures in the workplace to comply with its obligations under occupational health and safety regulations and should inform other employees if an employee is affected by the disease. While doing so, however, the employer should not provide more information than necessary, such as disclosing the identity of the concerned employee. It is possible for the employer to indicate