Home

Internal

Global

Contatto

Rödl & Partner ha prestato la propria consulenza per il perfezionamento dell'acquisizione del Gruppo italiano FGV da parte di Hettich |

In tutto il mondo

Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.

Data Protection in Turkey during Covid-19

Published on 20 May 2020 | Reading time approx. 2 minutes

The managing body of the Data Protection Authority of Turkey, Personal Data Protection Board, has made a thorough announcement on March 27, 2020 and on April 9, 2020 regarding the processing of personal data during Covid-19 Pandemic.

PROCESSING OF HEALTH DATA AND GEOLOCATION »
DATA PROTECTION OBLIGATIONS »
TELEWORKING »

Processing of health data and geolocation

Personal data concerning health that is considered a “Special Category” of personal data by means of Personal Data Protection Law and processing such health data is subject to the explicit consent of the data subject. Personal data concerning health may only be processed without such explicit consent by persons who assume the obligation or secrecy or authorized public institutions and organizations for the purposes of protection of public health, preventive medicine, medical diagnosis, treatment and nursing services, planning, management and financing of health-care services.

Accordingly, health data of the employees shall only be processed either by the explicit consent of the employee or without the necessity of the explicit consent, by the workplace physician or other health care personnel authorized by the workplace physician such as nurses, health officer, health and safety technical, who are all bound by the obligation of secrecy.

It is a fact that not many workplaces in Turkey have an assigned workplace physician. Therefore, explicit consent seems to be the most appropriate solution for the employer to process the health data of the employees. However, “explicit consent” of the employee is still a debatable concept, especially by means of labor law. Many argue that there is no explicit consent where there is an employment relation and thus the risk of losing a job. Furthermore, explicit consent may always be taken back, so the employer would then have to delete all the former health data that has been processed.

The employer, on the other hand, is obliged to keep the workplace and the employees healthy and safe. Therefore, Personal Data Protection Board has announced that the employer shall inform the employees of the infection cases. Such information shall not include the name of the infected employee as much as possible and only contain only enough data. In cases where the name of the employee shall also be disclosed, the infected employee shall be informed before such disclosure.

The announcement of the Personal Data Protection Board in fact conflicts with the Personal Data Protection Law, as the employer who has not engaged a workplace physician should not have access to and process such health data of the employee. We opine that Personal Data Protection Board made an exception to the law as the right of life supersedes the right of personal data protection. In any case, it is against the Personal Data Protection Law and an immediate amendment to the law is required urgently.

With this regard, the employer may take the fever of the employees at the workplace, may ask about the symptoms of fever or other virus related symptoms and/or the recent travel information of the employees as well as the visitors of the workplace. The employer may also disclose the health data of the employee to the authorized public institutions for the purposes of public health.

Data protection obligations

Is Location Data Considered Personal Data?

Personal Data Protection Law specifically states that in cases where the personal data is processed within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations duly authorized and assigned by law to maintain public safety and public order, the provisions of the law shall not be applied.

There are 3 conditions which are required to be fulfilled;

Personal data should be processed to maintain public safety and public order,
Personal data should be processed by public institutions and organizations duly authorized and assigned by law, and
Personal data should be processed within the scope of preventive, protective and intelligence activities.

In cases where all 3 conditions are met, location data of persons may be processed by the authorized public institutions and organizations. Needless to say, authorized public institutions and organizations shall also take any and all technical and administrative measures in order to protect the safety of the personal data processed and also shall delete such data after the purposes of processing the same cease to exist.

However, any third party real or legal data controllers other than authorized public institutions and organizations shall not.

Teleworking: country specific guides to regulate teleworking

During the times of Covid-19 pandemic, most workplaces adopted working home-office (remote working). Personal Data Protection Law does not hinder working home-office. The employees may work from home (or remotely from some other place) and even with their own devices.

However, it is very important that all technical and administrative measures are taken by the employee while processing personal data during working and also for the protection of the safety of the personal data processed. It is the obligation of the employer / data controller to inform the employees on the measures to be taken and also watch and observe whether such measures are adopted and applied.