With the rapid spread of the COVID-19 outbreak, many companies operating in different sectors take some additional measures to ensure the safety of their employees and business activities. In this regard, companies have implemented some data processing activities which they did not perform before the pandemic. We have compiled the most frequently asked questions below and share our analysis and application recommendations based on Turkish data protection rules.
1.1. Can employers measure their employees' temperature or ask them whether they have the symptoms of the virus to prevent COVID-19 outbreak and protect public health?
Short Answer: Yes. Provided that the general principles are respected and a legal basis for processing health data is relied upon, employers can measure their employees' temperature and ask them whether they show symptoms of the virus.
Explanation: As per the Article 6 of the Law on the Protection of Personal Data, ("KVKK" or the "Law") health data can be processed for the purpose of protecting public health, by persons under a secrecy obligation (e.g. workplace doctor or health care personnel), without seeking explicit consent from data subjects. Accordingly, provided that the employee is informed about the data processing, persons subject to such secrecy obligation can measure the temperature of the employees. If diagnostic temperature measurement is to be carried out by a person under a secrecy obligation, then informing the employee about the processing will suffice. However, if this measurement is to be carried out by any other person, then, in addition to informing, the explicit consent of the employee must be obtained.
If records regarding questions on the health status of the employee is to be stored, mandatory data security measures, which are set forth under the Personal Data Protection Board's ("Board") decision numbered 2018/10, must be taken with regards to the processing of such personal data. It would be appropriate to erase such personal data during the first periodic erasure process, when the reasons for processing such personal data is no longer valid. Records of erasure are required to be retained for three years.
Within the Public Announcement published by the Personal Data Protection Authority ("Authority"), it has been stated that, provided that compliance with the legislation is ensured, such processing activities are to be considered within the scope of employers' efforts to comply with legal obligations concerning the protection of employees' health and providing for a safe workplace.
Applicable Legislation: Articles 4, 5(1), 6(3), 7(1) and 10 of the Law; Article 7(3) of the Regulation on Deletion, Destruction or Anonymization of Personal Data.
1.2. Can employers ask their employees about the countries they have visited in the past 14 days and/or whether they have been in contact with those who have visited these countries?
Short Answer: Yes. Provided that the general principles are respected and a legal basis for processing personal data is relied upon, employers can ask their employees about the countries they have visited in the past 14 days and whether they have been in contact with those who have visited these countries.
Explanation: According to the Article 4 of the Law, personal data must be relevant with, limited and proportionate to the purposes for which they are processed. In order to comply with such general principle, these questions should be structured as Y/N questions and additional questions which would not constitute a determinant for the final risk evaluation (questions such as with whom the employee was travelling / which cities the employee visited) should not be asked. As per the Article 10 of the Law, employees are required to be informed about the purposes of processing, when personal data is obtained.
If records regarding such queries is to be stored, it would be appropriate to erase such personal data during the first periodic erasure process, when the reasons for processing such personal data is no longer valid. Records of erasure are required to be retained for three years.
Within the Public Announcement published by the Authority, it has been stated that, provided that compliance with the legislation is ensured, such processing activities are to be considered within the scope of employers' efforts to comply with legal obligations concerning the protection of employees' health and providing for a safe workplace.
Applicable Legislation: Articles 4, 5(2)(f), 6(3), 7(1) and 10 of the Law, Article 7(3) of the Regulation on Deletion, Destruction or Anonymization of Personal Data.
1.3. Can employers inform other employees about an employee who tested positive for COVID-19?
Short Answer: Yes, provided that the announcement does not contain any personal data. Other employees can be notified about the issue that an employee was tested positive for COVID-19 within the company, provided that the general principles are respected and the identity of the person carrying the virus is not disclosed.
Explanation: According to Article 4 of the Law, personal data must be relevant, limited and proportionate to the purposes for which they are processed. In this regard, a balance must be struck between the privacy of the person who was tested positive for COVID-19 and the employer's obligation to provide a healthy and safe working environment for their employees.
As stated in the Public Announcement published by the Authority regarding this subject, it would be appropriate not to disclose the name of the employee who was tested positive for COVID-19 or any information which could identify this employee (such as title, team etc.) to the other employees. It was also stated in the Public Announcement that the employees can be informed about that fact that there is a COVID-19 infected employee and that the employee in question is working from home or on leave. But details such as the employee's company title or team should not be disclosed. In this context, attention should be paid not to disclose any information which may lead to the identification of the person concerned.
Applicable Legislation: Article 4 of the Law.
1.4. Can thermal cameras be used on company premises?
Short Answer: Yes. Provided that the general principles are respected and a legal basis for processing health data is relied upon, thermal cameras can be used on company premises.
Explanation: As per the Article 6 of the Law, health data can be processed for the purpose of protecting public health, by persons under a secrecy obligation (e.g. workplace doctor or health care personnel), without seeking explicit consent from the data subject. In this regard, provided that the person is informed, temperature measurements can be carried out by utilizing thermal cameras by persons under a secrecy obligation. If these scans are to be carried out by any other person, then, in addition to informing, the explicit consent of the related person must be obtained. However, if the related person does not wish to give her/his explicit consent, she/he can be asked to conduct its meeting via video conference / telephone.
In any case, employees and visitors must be clearly informed on this measure in accordance with the Article 10 of the Law, prior to their visit to the company premises. In other words, prior to their visit, visitors must be specifically informed about thermal camera scans that are being carried out in order to protect and safeguard public health, and they might be suggested to conduct their meetings via video conference / telephone.
Applicable Legislation: Articles 4, 5(1), 6(3), 10 of the Law.
1.5. Can information regarding a COVID-19 positive employee be disclosed to public institutions and organizations?
Short Answer: Yes. Provided that the general principles are respected and a legal basis for processing health data is relied upon, information regarding a COVID-19 positive employee can be disclosed to public institutions and organizations.
Explanation: Turkish employment law obliges employers to inform their employees, sub-employees and their employers and other related institutions on matters adversely affecting or having the potential to affect (which can also be considered as a serious and imminent threats), the health and safety in the workplace. Additionally, employers are expected to take protective and preventive measures in this regard, to counteract such potential risks.
As per the Article 6 of the Law, health data can be processed for the purpose of protecting public health, by persons under a secrecy obligation (e.g. workplace doctor or health care personnel), without seeking explicit consent from the data subject. In this regard, provided that the person is informed, employee's positive resulted Covid-19 test can be shared with authorized public institutions and organizations, by persons under a secrecy obligation. If this notification is not to be made by a person under a secrecy obligation, then, in addition to informing, the explicit consent of the related person must be obtained.
Within the Public Announcement published by the Authority, it has been stated that employers are allowed to disclose personal data relating to individuals infected with the infectious diseases to competent authorities, provided that they comply with the provisions concerning infectious diseases envisaged under respective laws, and they disclose information which is subject to a notification obligation within the scope of these laws. In the Regulation on the Principles regarding Surveillance and Control of Infectious Diseases, COVID-19 (novel coronavirus disease) is considered among the infectious diseases which should be notified.
Applicable Legislation: Occupational Health and Safety Law No. 6331; Articles 4, 5(1), 6(3), 8, 10, 28(1)(ç) of the Law.
2.1. Can messages notifying measures taken due to COVID-19 such as reduced working hours or halting of retail sales, can be communicated to customers, without prior consent for commercial communications?
Short Answer: Yes, provided that there is a continuous contractual relationship with the data subject and on the condition that there is no promotional content included within the message. Otherwise, no.
Explanation: In accordance with the Regulation on Commercial Communications and Commercial Electronic Messages, prior consent of the recipient is not required with regards to notifications in relation to ongoing contractual relations such as subscriptions and memberships. Consequently, it will not be necessary to obtain prior consent from the receiver of the message (the customer) to report changes in working arrangements that may affect an ongoing and continuous commercial relation (such as retail banking relationships or subscription based telecommunications, electricity, natural gas, water etc. services, gym memberships). However, these informative messages must not include any promotional content.
On the other hand; for the sectors such as retail, automotive, tourism, food, where services are not offered based on an ongoing and continuous customer relationship, it will not be possible to send such notifications without the prior consent of the customer for receiving such commercial messages.
Applicable Legislation: Article 6(2) of the Regulation on Commercial Communications and Commercial Electronic Messages.
2.2. Can customers' temperature be measured at the entrances to offices / stores / shops / branches etc.?
Short Answer: Yes, provided that the person performing the measurement is a healthcare professional, or explicit consent of the data subject is obtained.
Explanation: According to the Law, health data can be processed for the purposes of protecting public health and preventive medicine, by authorized institutions and organizations, and by persons which are under a secrecy obligation, without the explicit consent of the data subject. As long as these data processing purposes are pursued while carrying out such temperature measurements and the persons performing the measurement are healthcare professionals under a secrecy obligation, measurements can be made without obtaining explicit consent from the data subjects.
However, it should be noted that, general principles set forth under the Law must be taken into consideration when processing personal data. For example, conducting health checks at workplaces where customers do not have any direct contact with the employees would contradict the principle of "(data processed) being relevant, limited and proportionate with the purpose of the processing". As another example, failure to erase the results of such measurements following the expiration of health risks would contradict the general principle of "retaining personal data only for the period necessitated by the purpose of processing".
If measurements are not carried out by persons under a secrecy obligation (e.g. healthcare professionals), obtaining explicit consent of the data subjects shall be required.
In any case, it should be ensured that data subjects are informed about the processing of their personal data, prior to commencing such measurements.
Applicable Legislation: Articles 5(1), 6(3) of the Law.
2.3. How a third person trying to communicate with an employee who cannot work due to COVID-19 or a similar health condition, should be informed?
Short Answer: An answer must be given without disclosing any information about the health status of the relevant employee.
Explanation: It is sufficient to inform third persons trying to reach an employee who cannot work due to his/her health condition by stating that the relevant person is not available / present without disclosing any information on his/her health condition.
This also applies, if the employee has given explicit consent for his/her health data to be processed, since the processing of such data by the company and disclosing such information to third parties are separate data processing activities.
Applicable Legislation: Article 6(3) of the Law.
2.4. Can companies (e.g. retail companies, companies organizing fairs, hotels) upon a request from an authorized public institution, disclose information about their customers, visitors and employees to public institutions for purposes of protecting public health?
Short Answer: Yes. In cases where one of the data processing conditions, set forth under Article 5 of the Law is fulfilled, personal data can be transferred without obtaining explicit consent from the data subject. Generally, for the purposes of responding to information and document requests conveyed by authorized public institutions, "being necessary for compliance with legal obligations to which the data controller is subject" condition for processing personal data can be relied upon.
Explanation: If the requested information includes health data, then, in accordance with Article 6 of the Law, such data can be transferred without obtaining explicit consent from the data subject, only for the purposes of protecting public health, and only by persons under a secrecy obligation (e.g., a workplace doctor or a healthcare professional). However, if the transfer is to be performed by any other person, then the explicit consent of the data subject shall be required. "Appropriate Measures to be Taken for the Processing of Special Categories of Personal Data" determined by the Board in its decision No. 2018/10 are also must be taken.
Applicable Legislation: Articles 6(3), 8(2), 28(1)(ç) of the Law.
3.1. It is common for the employee to work from home during the pandemic. What kind of security measures should be taken during this period?
Short Answer: Necessary measures must be taken to ensure the security of the personal data.
Explanation: The legislation on the protection of personal data is not an obstacle for working from home. During the pandemic, employees can work from home and use their own devices or communication equipment. The related privacy regulations do not prevent this specifically, but necessary administrative and technical measures must be taken to ensure the security of personal data.
In order to minimize the risks that may be caused by working remotely, the necessary measures must be taken. For example, the data should be transferred between the home computer and the company servers via a secure communication protocol. The related up-to-date anti-virus systems and firewalls should be installed on employees' computers and the employees must be carefully informed of the security of personal data.
However, it should be noted that the measures taken by employees do not eliminate the obligation of the data controller to ensure the security of personal data under the Law.
Applicable Legislation: Article 12(1) of the Law.
3.2. Can employees process special categories of personal data while working from home? What kind of security measures should be taken to process such data?
Short Answer: Yes, but it is necessary to act in accordance with the data security measures regarding the processing of special categories of personal data.
Explanation: It is important that the necessary security measures are taken by the employer, as the data controller, when employees working from home access to and process special categories of personal from home. Within this context, compliance with the decision of the Board dated 31/01/2018, numbered 2018/10 and titled "Sufficient Measures to be Taken while Processing Special Categories of Personal Data" must be ensured. Particularly, it is important to "use at least two-factor identity validation system" and ensure that the connection is encrypted by VPN or a similar method.
Applicable Legislation: Article 12 of the Law; Decision of the Personal Data Protection Board dated 31/01/2018 numbered 2018/10 and titled "Sufficient Measures to be Taken while Processing Special Categories of Personal Data".
3.3. Can the employer ask employees to use their video cameras at all times while they work from home?
Short Answer: Within the scope of data minimization principle, using video cameras cannot be made mandatory, unless the work specifically requires such an activity.
Explanation: It is only possible to request / require the video camera to be kept open during the whole working period of working from home if the relevant activity complies with the general principles stated under the article 4 of the Law.
Whether the video call can be mandatory in a specific meeting and similar job interview (not during whole working hours) is closely related to whether the case requires video call. Under certain circumstances, it may be made mandatory to conduct meetings with the video camera, provided that the general principles are respected and conditions for the processing of personal data are complied with. If the job does not require video call, it will be necessary to proceed in line with the preference of the employee.
Applicable Legislation: Article 4 of the Law.
3.4. What should be taken into consideration when using a camera while working from home?
Short Answer: Special attention shall be paid to ensure the security of personal data.
Explanation: In cases where a camera is used by employees while working from home, the privacy of both the employee and the persons at the employee's home (such as family members) must be protected. In this context, privacy enhancing technologies (such as blurring the background during video calls) might be introduced. Additionally, the data collected about the person due to the use of the camera at home (that are not possible collect within a business environment; for example, data regarding the family members of the person) must not be processed.
In addition, some of the software used for camera use with regard to working from home might be provided through cloud service providers and the data centres of these software might be located abroad. It should be kept in mind that transfers which do not comply with the conditions specified in Article 9 of the Law may constitute violation of the Law, since using the platforms which data centres located abroad would mean data transfer abroad.
In this context, the "Personal Data Security Guide (Administrative and Technical Measures)" prepared by the Board regarding whether these platforms take necessary data security measures and Board's "Adequate Measures to be taken for the Processing Special Categories of Personal Data" decision dated 31/01/2018 and numbered 2018/10 should be taken into consideration.
Applicable Legislation: Article 12 of the Law; Personal Data Security Guide (Administrative and Technical Measures); Decision of the Personal Data Protection Board dated 31/01/2018 numbered 2018/10 and titled "Sufficient Measures to be Taken while Processing Special Categories of Personal Data".
3.5. Can the video calls, made from home, be recorded? Can the recorded videos and images be published on the social media?
Short Answer: Within the scope of data minimization principle, videos must not be recorded and made accessible to third parties, unless it is mandatory as a matter of course.
Explanation: Video calls can only be recorded if it is required as a matter of course. In such a situation, any person who is going to be recorded should be notified explicitly and clearly prior to the recording activity. Although there may be cases where video recording could be mandatory, if these images shall be published at medias open to public (such as social media accounts), relevant persons must be informed, and their explicit consent must be obtained. It should be noted that such a publication might require getting a copyright from the relevant personal within the scope of the Law on Intellectual and Artistic Works.
Applicable Legislation: Article 4 of the Law.
4.1. What kind of guidance was issued by public institutions and organizations, and authorities regarding the COVID-19 outbreak?
Short Answer: Additional measures that should be taken regarding the COVID-19 outbreak have been published by the General Directorate of Security, the Ministry of Interior, and the Ministry of Culture and Tourism.
Explanation: Within this context, it is stated in the order published on the website of the General Directorate of Security that the use of thermal cameras and advanced thermometers by the private security officers on persons entering to areas where private security officers operate is allowed as long as they are trained accordingly. In the order, it is indicated that this practice will be valid as long as the measures and precautions related to the COVID-19 pandemic taken by the Ministry of Health continue in our country.
Moreover, the circular issued on the website of the Ministry of Interior regulated the working hours of the supermarkets and the number of customers who can shop in the supermarkets. In addition, it has been announced that all city and intercity public transport vehicles will temporarily accept 50% of the passenger transportation capacity specified in the vehicle license.
In the circular published on the website of the Ministry of Culture and Tourism, some measures regarding the tourism sector were included. According to the circular, a protocol covering COVID-19 and hygiene rules / practices should be prepared throughout Tourism Enterprises. The approach of personnel to the customer showing the symptoms of the disease and the procedures to be applied should be defined in this protocol as well. In addition, a social distancing plan should be prepared for general areas of use. In the circular, it is also stated that if the guests or personnel showing sign of illness are identified, the authorities should be notified, the patient should be isolated until taken over by the healthcare institution, and after the end of the stay, the customer's room should be disinfected with the material in accordance with the standards.
It should be noted that the measures mentioned here do not eliminate the above-mentioned principles under the Law. In order for health data to be processed without explicit consent, healthcare personnel must see them. Therefore, although it was envisaged with the regulatory and binding actions in these circulars that health data can be processed, these processing activities must be performed by healthcare professionals, otherwise, explicit consent of the data subject must be obtained.
Applicable Legislation: Order on the Use of the Temperature Measurement Devices by Private Security Officers; Additional Circular on Supermarkets in the Scope of Combating the Coronavirus Outbreak; Circular on Controlled Normalization Process in Accommodation Facilities.
4.2. Are the periods set out under the Law also valid during the COVID-19 outbreak? Should data controllers still have to answer/fulfil data subjects' demands within 30 days?
Short Answer: Yes, but the Authority has announced that it will take the existing extraordinary conditions into account.
Explanation: Within the scope of personal data protection legislation, data controllers must perform certain activities in a tight deadline. For example, they must answer/fulfil data subjects' demands within 30 days and inform the Authority of any data breach within 72 hours. These periods are not extended during the COVID-19 outbreak. However, in the Public Announcement published by the Authority, it has been stated that the extraordinary conditions will be taken into account for each data subject application and data breach notification. Although the Authority did not formally extend these periods, this announcement may be evaluated as a signal that they might act more flexible when taking decisions with regards to data controllers during this period.
With respect to foreign data protection authorities, different approaches have been adopted. For example, Irish data protection authority DPC has stated that, if answering to a data subject application within the foreseen period due to COVID-19 pandemic, data controllers may respond to the data subject stating this situation and then must answer immediately to data subject's application when the relevant obstacle no longer exists.
Applicable Legislation: Article 13(2) of the Law.