In light of the recent events regarding COVID-19,
most companies switched their office based work styles to working remotely[1]
until the current circumstances improve. However, some professions require to
be on field or in office habitats in order to continue its operations properly.
Providing safety at work during a pandemic may require to process personal
data, especially health data. In this information note the processing of personal
data will be reviewed in the context of recent updates regarding the COVID-19 outbreak
under the Turkish Personal Data Protection Law numbered 6698 (“6698 sayılı Kişisel
Verilerin Korunması Kanunu”, “PDPL”) and the Regulation 2016/679/EU of the
European Parliament and of the Council of 27 April 2016 on the protection of
natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (“GDPR”).
What type of data processing may occur?
Employers might consider to put in place some measures
to prevent any infection or virus transmission in the workplace. Taking such
measures is not in discretion of employers, on contrary, it is usually a duty
and an obligation of employers according to the national law which the employer
is subject to. In order to facilitate safety in workplace and mitigate the
risks regarding pandemic, employers have to take some measures.
For the first level of protection, employers might
want to have information on recent travel activities of visitors and employees.
Furthermore, for cases that working remotely is not possible and for even the
professions that can be pursued remotely, since there will be a time period that
people eventually switch back to their office lives, yet, COVID-19 still be an
issue and a danger factor according to the scope of affected areas and
potential recovery timeline, more intrusive data processing activities might be
necessary. For example, thermal cameras at the entrance of workplaces might be
used to prevent any risks and detect any risks regarding the pandemic.
In this regard, even though such thermal
cameras do not record or transfer any data to third parties, such processing
may fall in the scope of the PDPL or the GDPR. Furthermore, under the GDPR such
processing may be regarded as an automated-decision making[2]
in cases where a thermal camera includes a function that warns employers and
blocks entrance of the data subject if a person subjected to such camera has fever.
Moreover, security cameras record and collect
massive amount of data of employees. If such data is not processed to deduce
special categories of personal data, such processing shall not fall in the
scope of processing special categories of personal data. However, if the
footages of video surveillance systems in offices is being used to deduce
special categories of personal data, especially health data, in order to spot
the employees who show symptoms, such processing shall require to be in
compliance with the specific requirements of processing special categories of personal
data[3].
Under any circumstances, employers have to
limit their processing to which is relevant with, limited to and proportionate
to the purposes for which data is processed[4]
and fulfill their obligation regarding the necessary information[5]
to be provided to the data subjects prior to the initiation of the processing.
Is it possible to process employees’ personal
data in this regard under the GDPR?
The GDPR provides for the legal grounds to
enable the employers and the competent public health authorities to process
personal data in the context of epidemics, without the need to obtain the
consent of the data subject[6].
It provides multiple legal bases applicable to
such processing in the scope of legal obligations that arise from Union or
Member State law to which the controller is subject or, where applicable, legitimate
interests pursued by the controller or by a third party[7].
Moreover, public interest grounds as well as the vital interests of the data
subject may justify the processing which includes profiling necessary to develop models that predict the spread of
life-threatening diseases or in situations of humanitarian emergencies[8].
Is it possible to process employees’ personal
data in this regard under the PDPL?
Pursuant to Article 4 of the Turkish
Occupational Health and Safety Law numbered 6331; “The employer shall have a
duty to ensure the safety and health of workers in every aspect related to the
work…”. As per Article 5 of the PDPL, personal data can be processed if the
processing is mandatory for the controller to be able to perform its legal
obligations. Therefore, considering the legal obligations of employers,
processing personal data such as recent travel activities to restricted
countries in the scope of facilitating safety at workplaces shall be lawful. However,
while processing health data, legal obligations may not be sufficient to
provide lawfulness under the PDPL.
The PDPL requires some specific conditions in
order to facilitate a lawful processing of health data. Such specific
requirements provides a narrow scale of lawful basis to processing. As per
Article 6 of the PDPL, health data shall only be processed for specific
purposes[9]
by a person or an authorized public institution and an organization that has a
legal obligation of professional secrecy. Therefore, unless the processing is
made by a person who is a health professional such as a workplace doctor, such
processing will be unlawful under Article 6 of the PDPL. In light of these facts, the employers who intend to process health
data such as employees’ body temperatures or medical symptoms have to make sure
that such processing is being conducted by health professionals.
Moreover, it is stipulated under Article 28 of the
PDPL that data processing within the scope of preventive, protective and intelligence
activities to maintain national defense, national security, public security,
public order or economic security shall be exempted from the provisions of the PDPL.
However, such provision only applies to data processing activities of public
institutions and organizations duly authorized to do so by laws. Therefore,
such provision shall not apply to private persons and their processing activities
of health data within the scope of preventive or intelligence activities.
Author: Aslı Naz Ünlü
[1] See for the Guidance of Data
Protection Commission on data security while working remotely, https://dataprotection.ie/en/news-media/blogs/protecting-personal-data-when-working-remotely
[2] Solely automated decision-making is
the ability to make decisions by technological means without human involvement.
[3] The European Data Protection Board,
Guidelines 3/2019 on processing of personal data through video devices, January
29 2020, p. 17.
[4] Article 4(ç) of the PDPL.
[5] See Article 10 of the PDPL for more
information regarding such obligation; See Article 13 and 14 of the GDPR for
more information regarding such obligation.
[6] Andrea Jelinek, Statement of the
EDPB Chair on the processing of personal data in the context of the COVID-19
outbreak; see for the full text of such Statement,
https://edpb.europa.eu/sites/edpb/files/files/news/edpb_covid-19_20200316_press_statement_en.pdf
[7] Article 6(c) and (f) of the GDPR.
[8] Article 29 Data Protection Working
Party; “In these cases, however, and in
principle, the controller can only rely on vital interest grounds if no other
legal basis for the processing is available. If the processing involves special
category personal data the controller would also need to ensure that they meet
the requirements of Article 9(2)(c) of the GDPR.”; Article 29 Data
Protection Working Party, Guidelines on Automated individual decision-making
and Profiling for the purposes of Regulation 2016/679, As last Revised and
Adopted on 6 February 2018, p. 14.
[9] Article 6 of the PDPL stipulates
such purposes as the protection of public health, operation of preventive
medicine, medical diagnosis, treatment and nursing services, planning and
management of health-care services as well as their financing.