COVID-19: Analysis of Data Processed During the Coronavirus Outbreak within the Scope of Data Protection Law
In the Coronavirus (COVID-19) pandemic, which we are facing, most of the measures taken by the companies require the processing of personal and private personal data of the employees, and all processing activities require that they be examined in accordance with the Personal Data Protection Law No. 6698 ("KVKK"). Although an exceptional situation is experienced due to the pandemic, it is imperative that the processing activities carried out in this process comply with KVKK.
In addition to the guideline addressing the situation in terms of Labor Law, which we have previously published on our website , we offer you this guide, prepared in terms of the Personal Data Protection Law No. 6698 (" KVKK "), to shed light on the processing activities faced by companies.
1. A Brief Review of the Nature of Information Related to COVID-19
"COVID-19 virus", "Test result positive"
It is unquestionable that the information that an identified or identifiable person has been infected with the COVID-19 virus is health data about the person concerned and is a personal data of special nature in terms of KVKK .
“High fever”, “Risk of COVID-19 virus”, “Recent travel abroad”
When it is evaluated for processing purposes (taking additional measures, checking the health of the person, directing the person to health institutions, etc.), the interpretation that the person concerned has a high fever and therefore may have been infected with the COVID- 19 virus will also constitute health data about the person concerned and therefore of a special quality. will mean personal data. It should not be forgotten that the comments made about people are also the information that can make them specific or identifiable, and these comments do not necessarily reflect the truth.
Due to the reason stated in the previous paragraph on the purpose of processing, a question regarding whether the person has "traveled abroad in the recent period" may also result in the processing of health data about the person.
For example, communicating over the employee, who has learned that he has visited a country with higher disease rates in the near future, potentially infected with e-mail to take additional health measures, with the concern that he or she has been infected.
"Symptoms of COVID-19"
If it is a question whether the person concerned shows COVID-19 symptoms, it is clearly a question about the person's health data, and the positive or negative response received will mean the person's health data and therefore special personal data.
2. A Brief Review of the Processing of Information Related to COVID-19
It is stated in the content of " Precautions to be Taken Against Coronavirus in Workplaces (COVID-19) " published by the Republic of Turkey Ministry of Family, Labor and Social Services, Department of Occupational Health and Safety. It is stated that the employees should be “checked with a contactless fever meter before starting work and those who have fever should be directed to the workplace doctor”. In the announcement published by the Turkish Republic Ministry of Interior Police Department, "private security officers, who complement the public security," measure the fire of the visitors "... have been evaluated as a reasonable practice in this process and until this process ends. "
Fever measurements performed at workplace entrances
There is no question of “personal processing” of personal or special personal data in the sense of KVKK, unless there is no question of systematic and orderly measurement of the fever measurements before the recruitment of the employees, or of the fever measurement to be subject to additional processing. The mentioned “being subjected to processing activities” means that the area where the fire measurement is monitored by the camera and if the employee with a high risk of fire is identified on this occasion or if the employee with a high risk of fire is detected, this is announced within the company by e-mail. A person with high fever is activities such as the establishment of systematic and regular physical records. Such activities will mean the processing of knowledge that a specific or identifiable person has “high fever”.
If it is not possible to make a thermal camera at the entrance of the workplace to make the person passing through the thermal camera specific or identifiable, it should be evaluated in the same way as a fever measurement.
For example, if employees enter the workplace with a card turnstile system, and at the same time go through thermal camera inspections, the minutes and hours obtained from the card turnstile transition and cardholder information will be combined directly with the thermal camera records. As a matter of fact, the presence of both systems in the presence of the data controller will mean that people are identified in the processing activity with the thermal camera system. Otherwise, if it is not possible to make people specific or identifiable, obtaining thermal camera recordings may not mean that personal or even personal data is processed.
Asking employees questions about the COVID-19 virus
As we explained above, health data is processed to answer questions about whether employees are traveling abroad via e-mail to check their health status, be directed to health institutions, or to take additional security measures for employees who are sick or suspected of illness.
Although it is not necessary to specify; Whether the employee shows symptoms of COVID-19 or not, the flow of information in e-mails related to health status, creating records in digital systems by the data controller, keeping records in physical outputs systematically and regularly will be processed.
3. A Brief Review in Terms of General Principles
During the pandemic we live in, KVKK m. The "General Principles" in 4 must be evaluated. In accordance with the principles we have listed below;
a. Being in compliance with the law and honesty rules:
Adequate Measures in the Processing of Information Related to COVID-19: Personal Data Protection Board's the Decision dated 31/01/2018 and numbered 2018/10 front "Adequate Precautions to Be Taken by Data Officials in the Processing of Special Qualified Personal Data " for each activity in which employees' health data will be processed It should be remembered that adequate precautions should be provided.
Explicit Consent in the Processing of Information Related to COVID-19: KVKK m, such as the Human Resources Department in the Employer, where the processing is mandatory in the laws or in order to fulfill a legal obligation in the processing of the health data of the employees. Explicit consent exceptions in 5 of 2 will not apply.
Here, the first remedy to be applied by the employer should be to carry out the necessary processing activities by the workplace doctor. It is regulated in cases where the explicit consent of the employee is not required in order to process the health data of the employee. In this regard, the processing of health data about the virus by the workplace doctor eliminates the need for open consent from the employee.
In particular, it should be noted that seeking the explicit consent of the employee, which is the second remedy, does not add any speed to the difficult process we are experiencing, making the applicability of the measures taken by the employer more difficult. Again, it is possible to carry out health data processing activities by a non-workplace physician in terms of health data working in the current letter of our Law, only by obtaining an open consent that has been properly prepared and the obligation of illumination has been fulfilled.
Considering that the workplace physicians are present at the workplace on certain days of the week and that they may not be in the workplace even on the specified number of days due to the process we are experiencing, it is obvious that the word of the word should be improved. In this regard, the need for explicit consent exceptions specifically regulated in terms of employment relationship in the processing of health data, like in Germany and similar countries, is seen more clearly today.
In addition, it may be preferred to take the consent of the employee, especially in terms of processing health data, in the public announcement published by the Personal Data Protection Board under the heading “ What to Know under the Law on Protection of Personal Data in the Process of Combating COVID-19 ”. If it is considered, the employee will be able to report disease with his own consent. Is an expression to be discussed. It is difficult to argue that the employee has given his explicit consent to inform any department except his / her workplace physician about his illness, except that he hopes that the employee has been notified by the workplace physician who has processed it for the purpose of an explicit consent exception. Representing the declaration of the will about a certain subject, in which the person was informed in detail and that the action he / she carried out was notified in the public announcement prior to the quoted statement, since there was no information about " being related to a certain subject "and" reliance on information ". it is not entirely clear whether it is to be interpreted as " implicit consent " or whether a new interpretation is added.
Notification of COVID-19 Information to Health Institutions: Notifications regarding the health status of employees can be made to health institutions by methods determined by the Ministry of Health. Notification to be made, KVKK m. In accordance with 6, it should be based on open consent or exceptions. The processing activity will be in the form of domestic personal data sharing.
KVKK m. It should not be forgotten that the KVKK exemption regulated within the scope of 28/1-ç covers “public institutions and organizations authorized by law in order to ensure national defense, national security, public security, public order or economic security”. The relevant exception includes the healthcare provider informed by the employer, but not the employer's processing activities.
Measurement Activities to be Carried Out at Entries: Although a basic method of protection against COVID-19 virus is to put social distance between people, extra care must be taken to ensure that this distance is achieved in company fire measurements.
The Personal Data Protection Board for Protection of Personal Data in Service Areas such as Counters, Counters and Tables should be considered to be applicable in this sense, in the sense that people can hear, see, learn about each other's information during the relevant measurement activities . The execution of measurement activities should be prevented. Here, it is also important to inform the measurement people in this direction.
b. Processing for specific, clear and legitimate purposes:
Lighting Obligation Against Related Persons: It should not be forgotten that during the acquisition of personal data of employees, the obligation of illumination against employees must be fulfilled. KVKK m. While oral or written methods are preferred in the fulfillment of the elements within the scope of 10, a language with a complex, incomprehensible or technical content should not be used against the employees. It should not be forgotten that the burden of proof is fulfilled in the employer in terms of the preference of verbal methods.
It should be remembered that the obligation of illumination must be fulfilled separately in terms of clear consent to be requested from the employee in order to process health data.
c. Being connected, limited and restrained for the purpose for which they are processed:
Notifications to be Made in the Company: It is important to remind the employer that he / she learned that he / she has been ill in order to protect the health of other employees in the workplace and to provide additional measures, that he / she must process this information in accordance with the law as explained above.
Secondly, I believe that the situations where there is a moderate processing purpose in explaining the name of the employee are extremely exceptional. Because mostly, the related warning can be made without the need to make the employee directly specific or identifiable.
Here, the necessary information can be provided by keeping the area too wide for the employee to be identified but narrow enough that the alerted people can understand.
Again , we would like to inform you that a friend working on the 5th floor of our Headquarters building was positive for the COVID-19 test , which was included in the public announcement published by the Personal Data Protection Board under the title of “ What to Know under the Law on Protection of Personal Data in the Process of Combating COVID-19 ". Taking into consideration the dates of our friend whose test was positive, we will identify the people who are in contact with our friend and inform them about the situation… ”, it should be kept in mind that rarely the person can Few or even one person may be working on the 5th floor in question, and the “ dates of the building ” of the person who is in the building and whose test is positive due to the shift application will directly cause the relevant person To be determined.For this reason, care should be taken to ensure that individuals cannot be identified in the information provided.
D. Preservation for the period required by the relevant legislation or for the purpose for which they are processed:
Regarding the Retention Time of the Data to be Obtained: In terms of KVKK, it is not obligatory to include how long the processed data will be stored while fulfilling the lighting obligation.
In personal and special quality personal data processing activities carried out exceptionally within the scope of temporary measures, it will be a precautionary measure to predict shorter periods compared to normal activities, taking into account the nature of the activity and the principle of processing with limited purpose . For example, the data of the employee about recent travels abroad can be stored for a limited and shorter period of time.
If the reports obtained from the employees are subjected to a retention in the contents of the employee health file, it should not be for forgotten that the time stipulated in the relevant legislation will remain and the retention periods for "processing activities performed with short-term measures "as stated in the previous paragraph should not be applied in these activities. (Regulation on Occupational Health and Safety Services - m. 7; The employer keeps the personal health files of the employees for at least 15 years from the date of termination, provided that the periods specified in the relevant legislation are reserved.)
Data protection authorities of some countries stated that the resources assigned to compliance or information governance could be directed to other areas due to the pandemic crisis, they could understand the need to prioritize other areas and that punishments would not be made due to the process. However, it is not meant here that compliance with standard law can be neglected or that data protection laws are "suspended".
As a matter of fact, there is no doubt that during this challenging process, many data about employees and citizens are processed and need to be processed. However, on behalf of the continuity of the privacy of individuals' fundamental rights and to prevent damage to freedom and private life, also authorize the editing of a special (See. Disasters and emergencies into the arrangements made for the processing of the telephone and location information ) or foreseen in law exemptions unless they (for example, KVKK art. 28) It should be noted that the procedures and principles in the processing of personal data are regulated in KVKK.