On 28 September 2021, the Turkish Data Protection Board (the “Board”) published a long-awaited announcement regarding its position on the processing of personal data related to Covid-19 PCR test results and vaccination status, based on its decision No. 2021/980 of the same date.

The Board’s announcement specifically refers to the following letters issued by the Turkish Ministry of Interior and the Turkish Ministry of Labour:

• • Letter of the Ministry of Interior dated 20 August 2021, under which it is mandatory for the persons who want to participate in activities gathering large crowds (such as concerts, cinema or theatre) or to use public transportation, to submit Covid-19 PCR test results or proof of vaccination.
• • Letter of the Ministry of Labour dated 2 September 2021 under which, within the scope of the preventive and protective measures to address health and security risks in the workplace, private sector employers may require employees who are not vaccinated against Covid-19 to have a PCR test performed once a week, and to record the test results in order to take the necessary actions.

The Board noted that pursuant to Article 28 of Turkish Law No. 6698 on the Protection of Personal Data (the “Law”), the provisions of the Law do not apply to data processing activities performed within the scope of preventive, protective and intelligence activities carried out by public institutions and organisations duly authorised and entrusted by law with ensuring national defence, national security, public security, public order or economic security.

The Board stated that while Covid-19 PCR test results and vaccination status constitute sensitive data that should normally be processed in the conditions set forth under Article 6 of the Law, the processing of such data within the scope of preventive and protective activities carried out by Turkish public institutions and organisations to prevent the spread of the disease can be assessed in light of Article 28, and is therefore not subject to the provisions of the Law.

Although the announcement focuses on public institutions and does not make any clear reference to the processing of personal data by private entities, the Board seems to be taking the position that data processing activities conducted by private entities to implement the measures set forth in the letters of the Ministry of Interior and the Ministry of Labour, to the extent they are performed as part of the fight against the pandemic within the limits defined by these ministries, would fall outside the scope of the Law altogether. Further formal clarification through the Board’s future decisions will likely be needed to confirm this interpretation.

Please do not hesitate to contact us for any further information on this briefing.