29 April 2020
It is inevitable to process personal data while fighting COVID-19. This unprecedented period of time created so many questions across the world, mostly regarding processing health data, workplace measures, and processing of personal data by public authorities. Many data protection supervisory authorities around the world, including the Turkish Data Protection Authority (the “TDPA”) and European Data Protection Board (“EDPB”) have published announcements and guidelines to remind and underline the importance of data protection during these tough times.
PUBLIC ANNOUNCEMENT OF THE TDPA REGARDING DATA PROCESSING DURING COVID-19 OUTBREAK
The TDPA published an announcement on 27 March 2020 on its website in order to draw attention to the protection of personal data while fighting COVID-19 and to remind data subjects their rights under the Turkish Data Protection Law (“TDPL”). The TDPA also answered some of the frequently asked questions regarding COVID-19 related data processing activities.
In the announcement, the TDPA briefly stated that fighting with COVID-19 in these extraordinary days is not an excuse for not complying with the TDPL. It is reminded that when processing personal data, especially health data, the data controller must comply with the general principles of data processing and all the provisions of the TDPL. Primarily, complying with the obligation to inform (informing data subjects by providing a short, accessible and easy to understand privacy notice written in clear and plain language), confidentiality (not disclosing personal data to the third person without compulsory justification) and data minimization (data processing should be limited and proportionate to the purpose) principles are underlined in the announcement.
In this regard, it is stated that it is possible to obtain an employee’s explicit consent to process health data or the employee is able to report disease with his/her own consent taking into account the spreading rate of the virus. On the other hand, without the employee’s explicit consent, workplace doctors can process health data. Additionally, since the current situation threatens public security and public order, there is no obstacle to the processing of personal data by the Ministry of Health and related public institutions and organizations.
The TDPA also answered the frequently asked questions in its public announcement:
1. Can a health organization get in contact with a person in relation to COVID-19 without his/her prior consent?
Yes. Within the scope of the obligation of the public institutions and organizations on fighting with severe threats to public health, relevant health institutions and organizations can make contacts via telephone, text message, or e-mail regarding public health.
2. It is known that most of the employees work remotely during the outbreak. What are the security measures that should be taken while working remotely?
In order to minimize the risks that may arise as a result of working remotely, the data traffic between the systems must be carried out with secure communication protocols and it should not contain any vulnerability, and anti-virus systems and firewalls must be kept up-to-date. Moreover, all employees must be carefully informed regarding data security. It should be noted that measures taken by employees do not remove the data controller’s obligation on maintaining the security of personal data.
3. Can an employer disclose to other employees/co-workers that a certain employee is COVID-19 positive?
An Employer should inform its employees regarding the COVID-19 tested positive cases in the workplace. However, this notice should be limited to the required information only. Patient names or specific information that may directly identify the relevant patient should not be disclosed if it is not necessary. For example, informing employees about the case by indicating the specific office and the specific floor that the employee who was tested positive was working and mentioning that the management will identify and inform personnel who could have been contacted with this employee will be sufficient.
4. Can an employer request information from its personnel or visitors regarding their recent travels or whether they have COVID-19 symptoms, such as fever?
Yes, but this information request must be based on necessity, proportionality and must be justifiable as per a risk assessment.
5. Can employers disclose employees’ health information to authorities for public health purposes?
Yes, employers can share personal data of the employees who were tested positive with related authorities, as long as the transfer of data will be carried out in accordance with article 8 of the TDPL and other legislation regulating the collection of data concerning contagious diseases.
6. During the pandemic, when the establishments are temporarily closed or the capacity of the data controller to fulfill related persons’ requests is restricted due to COVID-19, are the timelines specified in the TDPL and related legislation regarding responses to data subjects’ requests and data controllers’ obligations to the TDPA still applicable?
Yes, it is not possible to extend the legal timelines specified in the TDPL and related legislations. However, the TDPA indicates that this is an extraordinary period and the Turkish Personal Data Protection Board would take that into consideration while evaluating the timeline that data controllers are required to comply with.
HOW SOME OTHER DATA PROTECTION AUTHORITIES IN EUROPE APPROACHED THE SITUATION
Other data protection authorities across the world took similar approaches. Like TDPA, authorities emphasized the importance of protecting personal data and have taken into account the legal grounds for processing special categories of data as well as reminding the key principles such as data minimization. However, by flexing their regulatory approach, they prefer to allow more free space to healthcare workers who are fighting on the front lines and to the data controllers, who might take wrong decisions albeit their good intentions. This flexibility must have some limits; it should not involve clear exposure of the identity of the employee that was tested COVID-19 positive and it certainly should not involve exposure of detailed health data to employers.
You can find a couple of examples regarding the authorities’ approach to data protection during the COVID-19 crisis below. You may access the full list of examples from the list provided by Global Privacy Assembly at https://globalprivacyassembly.org/covid19/
Information Commissioners Office (“ICO”) (UK) – The ICO shared a Q&A similar to the TDPA, which answers a lot of questions to reduce concerns as well as to present a detailed policy regarding how ICO’s approach will be during the pandemic. They have recently opened an information hub page, which provides even more assistance regarding COVID-19.
Commission Nationale de l'Informatique et des Libertés (“CNIL”) (France) – The CNIL provided guidance on employer-employee relationships during COVID-19. They also follow a flexible approach, where they allow the employers to keep records of the identity of the employee which was tested COVID-19 positive and date of the case but they do not allow employers to collect too much health data, such as the mandatory reading of the temperature of the employees or mandatory sharing of medical sheets.
Garante per la Protezione dei Dati Personali (“Garante”) (Italy) – The Garante stated that employers must refrain from collecting, in advance and in a systematic and generalised manner, including through specific requests to the individual employee or unauthorized investigations, information on the presence of any signs of influenza on the employee and his or her closest contacts, or anyhow regarding areas outside the work environment. However, the Garante also stated that employers may urge their employees to make necessary communications by facilitating the way such communications are transmitted, including through dedicated channels by informing the employee that such communications are necessary for the employer to fulfill its obligations to inform the competent entities of any change in the ‘biological’ risk to health at work arising from the Coronavirus along with the other tasks related to health, such as surveillance of workers by the competent workplace doctor, the possibility to have the most exposed employees undergo an extraordinary medical visit. Shortly, the Garante believes that public authorities, healthcare workers, and institutions should handle this situation, and employers should not follow a “do-it-yourself” approach.
The Garante also draws attention to too many details being shared in social media and news and urges people to minimize data shared as this sharing could affect the families and loved ones of the patients.
Alongside those, the Garante offers detailed guidance on new technologies, data sharing in the health sector, interviews, and reports at https://www.garanteprivacy.it/temi/coronavirus (Some documents are bilingual and for some documents, only an Italian version is available).
GENERAL APPLICABILITY OF THE AUTHORITIES’ APPROACHES IN EUROPE AND TURKEY
Above we have explained how different authorities approach data processing during the pandemic in Europe and Turkey. But how do these approaches work and are they applicable and compliant with the laws?
General Data Protection Regulation (“GDPR”) provides some exemptions and flexibilities for those situations. For example, in case of necessity for reasons of public interest in the area of public health, GDPR allows member states to provide specific measures for the protection of health and safety at work while protecting the vital interests of the data subject.
The EDPB is responsive to the situation and issued a statement called “Statement on the processing of personal data in the context of the COVID-19 outbreak”. The EDPB evaluates the exemptions that allow processing of personal data as well as popular questions such as employment relations, mobile location/telecom data, and processing of data by public institutions.
The EDPB generally refers to public health exemptions, which allow the processing of special categories of data when it is necessary for reasons of substantial public interest in the area of public health (Article 9/2(i) of GDPR). The EDPB also considers that article 6 and article 9 of the GDPR allows the processing of personal data by public authorities, in particular when it falls under the legal mandate of the public authority provided by national legislation. Moreover, in the employment context, alongside public health exemption, the GDPR refers to processing when it is necessary to protect vital interests of the data subject (Article 9/2(c) of GDPR), and health and safety obligations, which can be specifically regulated through national legislation (Article 88 of GDPR). However, the EDPB emphasizes that the general principles should be applied while processing personal data for the purposes of protection from COVID-19, which are stipulated under article 5 of GDPR (lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability).
Though the Turkish Republic is not an EU member state, the TDPA’s approach is to follow the EU and the GDPR’s application closely as TDPL is also along European lines. This approach is also clearly seen from its public announcement that we have mentioned above.
However, when it comes to processing special categories of data, especially health data, the TDPL imposes very strict rules compared to Europe.
The TDPL only allows the processing of health data through the explicit consent of the data subject or by any person or authorized public institutions and organizations that have the obligation of secrecy, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing. Due to the absence of a specific provision in the TDPL providing for a legal ground for the processing health data within the scope of employee and employer relationships, Turkish employers have limited legal grounds when processing health data.
In an effort to address this conflict, in its announcement mentioned above, the TDPA stated that “the employer has the obligation to provide health and safety for its employees and at the same time, to fulfill its obligation to care”. This seems to provide guidance to some extent for the employers at this stage.
Nevertheless, once again it is worth noting the immediate need for the Turkish legislators to enact and regulate legal grounds in the TDPL for processing health data specifically by the employers.
 TDPA’s announcement is only available in Turkish on its website.
 Official translation of the announcement in the web page includes the word “influenza” instead of COVID-19