In light of the recent events regarding COVID-19,
most companies switched their office based work styles to working remotely
until the current circumstances improve. However, some professions require to
be on field or in office habitats in order to continue its operations properly.
Providing safety at work during a pandemic may require to process personal
data, especially health data. In this information note the processing of personal
data will be reviewed in the context of recent updates regarding the COVID-19 outbreak
under the Turkish Personal Data Protection Law numbered 6698 (“6698 sayılı Kişisel
Verilerin Korunması Kanunu”, “PDPL”) and the Regulation 2016/679/EU of the
European Parliament and of the Council of 27 April 2016 on the protection of
natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (“GDPR”).
What type of data processing may occur?
Employers might consider to put in place some measures to prevent any infection or virus transmission in the workplace. Taking such measures is not in discretion of employers, on contrary, it is usually a duty and an obligation of employers according to the national law which the employer is subject to. In order to facilitate safety in workplace and mitigate the risks regarding pandemic, employers have to take some measures.
For the first level of protection, employers might want to have information on recent travel activities of visitors and employees. Furthermore, for cases that working remotely is not possible and for even the professions that can be pursued remotely, since there will be a time period that people eventually switch back to their office lives, yet, COVID-19 still be an issue and a danger factor according to the scope of affected areas and potential recovery timeline, more intrusive data processing activities might be necessary. For example, thermal cameras at the entrance of workplaces might be used to prevent any risks and detect any risks regarding the pandemic.
In this regard, even though such thermal cameras do not record or transfer any data to third parties, such processing may fall in the scope of the PDPL or the GDPR. Furthermore, under the GDPR such processing may be regarded as an automated-decision making in cases where a thermal camera includes a function that warns employers and blocks entrance of the data subject if a person subjected to such camera has fever.
Moreover, security cameras record and collect massive amount of data of employees. If such data is not processed to deduce special categories of personal data, such processing shall not fall in the scope of processing special categories of personal data. However, if the footages of video surveillance systems in offices is being used to deduce special categories of personal data, especially health data, in order to spot the employees who show symptoms, such processing shall require to be in compliance with the specific requirements of processing special categories of personal data.
Under any circumstances, employers have to limit their processing to which is relevant with, limited to and proportionate to the purposes for which data is processed and fulfill their obligation regarding the necessary information to be provided to the data subjects prior to the initiation of the processing.
Is it possible to process employees’ personal data in this regard under the GDPR?
The GDPR provides for the legal grounds to enable the employers and the competent public health authorities to process personal data in the context of epidemics, without the need to obtain the consent of the data subject.
It provides multiple legal bases applicable to such processing in the scope of legal obligations that arise from Union or Member State law to which the controller is subject or, where applicable, legitimate interests pursued by the controller or by a third party. Moreover, public interest grounds as well as the vital interests of the data subject may justify the processing which includes profiling necessary to develop models that predict the spread of life-threatening diseases or in situations of humanitarian emergencies.
Is it possible to process employees’ personal data in this regard under the PDPL?
Pursuant to Article 4 of the Turkish Occupational Health and Safety Law numbered 6331; “The employer shall have a duty to ensure the safety and health of workers in every aspect related to the work…”. As per Article 5 of the PDPL, personal data can be processed if the processing is mandatory for the controller to be able to perform its legal obligations. Therefore, considering the legal obligations of employers, processing personal data such as recent travel activities to restricted countries in the scope of facilitating safety at workplaces shall be lawful. However, while processing health data, legal obligations may not be sufficient to provide lawfulness under the PDPL.
The PDPL requires some specific conditions in order to facilitate a lawful processing of health data. Such specific requirements provides a narrow scale of lawful basis to processing. As per Article 6 of the PDPL, health data shall only be processed for specific purposes by a person or an authorized public institution and an organization that has a legal obligation of professional secrecy. Therefore, unless the processing is made by a person who is a health professional such as a workplace doctor, such processing will be unlawful under Article 6 of the PDPL. In light of these facts, the employers who intend to process health data such as employees’ body temperatures or medical symptoms have to make sure that such processing is being conducted by health professionals.
Moreover, it is stipulated under Article 28 of the PDPL that data processing within the scope of preventive, protective and intelligence activities to maintain national defense, national security, public security, public order or economic security shall be exempted from the provisions of the PDPL. However, such provision only applies to data processing activities of public institutions and organizations duly authorized to do so by laws. Therefore, such provision shall not apply to private persons and their processing activities of health data within the scope of preventive or intelligence activities.
Author: Aslı Naz Ünlü
 See for the Guidance of Data Protection Commission on data security while working remotely, https://dataprotection.ie/en/news-media/blogs/protecting-personal-data-when-working-remotely
 Solely automated decision-making is the ability to make decisions by technological means without human involvement.
 The European Data Protection Board, Guidelines 3/2019 on processing of personal data through video devices, January 29 2020, p. 17.
 Article 4(ç) of the PDPL.
 See Article 10 of the PDPL for more information regarding such obligation; See Article 13 and 14 of the GDPR for more information regarding such obligation.
 Andrea Jelinek, Statement of the EDPB Chair on the processing of personal data in the context of the COVID-19 outbreak; see for the full text of such Statement, https://edpb.europa.eu/sites/edpb/files/files/news/edpb_covid-19_20200316_press_statement_en.pdf
 Article 6(c) and (f) of the GDPR.
 Article 29 Data Protection Working Party; “In these cases, however, and in principle, the controller can only rely on vital interest grounds if no other legal basis for the processing is available. If the processing involves special category personal data the controller would also need to ensure that they meet the requirements of Article 9(2)(c) of the GDPR.”; Article 29 Data Protection Working Party, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, As last Revised and Adopted on 6 February 2018, p. 14.
 Article 6 of the PDPL stipulates such purposes as the protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.