The Legal Effects Of Coronavirus (Covid-19)
From The Perspective Of Data Protection
Mertcan İpek
The Covid-19 disease caused by SARS-CoV-2 virus (hereinafter the “Coronavirus”) has alerted public authorities all around the world to take measures. However, these measures should be supported by individuals and private businesses for a cumulative fight against the spread of the Coronavirus; the measures in workplaces are of paramount importance in this respect. Furthermore, employers in Turkey have a statutory obligation to ensure the health and safety of their employees under the Occupational Health and Safety Law no. 6331. In doing so, employers must take into consideration that they are bound by the data protection regulations when it comes to processing health-related data of their employees.
Article 6 of the Personal Data Protection Law no. 6698 (“PDPL”) regulates “sensitive personal data” which are subject to specific processing conditions; health-related data are classified within this special category. The information as to whether an employee is infected by the Coronavirus or carries its symptoms would be considered as “health-related data”.
According to Article 6(2) of the PDPL, it is prohibited to process sensitive personal data without obtaining the explicit consent of the data subject, i.e. of the employee. However, paragraph 3 of the same article sets forth an exception to this rule concerning the personal data relating to health and sexual life of the employee for the purposes of the protection of the public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services, and financing by persons under the obligation of secrecy or authorized institutions and organizations. Accordingly, in the absence of the employee’s explicit consent, personal data relating to the health of the employee can be shared by persons under the obligation of secrecy or authorized institutions and organizations. Doctors and health personnel would fall into the category of persons under the obligation of secrecy or authorized institutions and organizations. Employers in principle do not fall qualify for this category.
Regardless of whether the data are processed with the explicit consent of the employee or without such consent by fulfilling the requirements provided in Article 6(3), an employer is obliged to inform the employee regarding the data processing in compliance with Article 10 of the PDPL. For instance, using thermal cameras to measure the employees’ body temperatures without duly informing them according to Article 10 prior to such activity would constitute a violation of the PDPL.
Article 28 of the PDPL regulates the exceptional cases in which the provisions of the PDPL shall not apply. In this regard, Article 28(1)(ç) provides that “processing of personal data within the scope of preventive, protective, and intelligence-related activities by public institutions and organizations who are assigned and authorized for providing national defense, national security, public safety, public order, or economic safety” constitutes one of these exceptions. Given the extraordinary circumstances caused by the Coronavirus pandemic, the measures against the Coronavirus should be considered within the scope of “public safety”. From such an analysis, it would follow that “public institutions and organizations” would be allowed to process health-related data without being bound by the PDPL in order to maintain “public safety” in the combat against the Coronavirus. Therefore, public authorities which fall into this category (e.g. the Ministry of Health) would be able to process the health-related data of the employees in a certain workplace or ask for the transfer of already processed data even in the absence of the requirements imposed by the provisions of the PDPL. However, employers would still be bound by the above explained provisions of the law when processing and transferring such data.
On March 27, 2020, the Turkish Data Protection Authority published an announcement from its website in order to clarify certain issues of data protection in employment relationships with regard to the Coronavirus. It is emphasized that employers have the obligation to inform their employees if Coronavirus cases are seen in the workplace so that the necessary measures can be taken. However, this obligation should be fulfilled without disclosing the identity of the infected employees. In special circumstances which require such a disclosure, the infected employee in question should be informed in advance. The announcement also clarifies that employers may request certain information from their employees in order to maintain the conditions of health in the workplace, if such request is necessary, proportional and based on a strong justification from a risk management perspective. This information includes the recent travels of the employees and whether they show any symptoms of the Coronavirus. In this regard, the transfer of the health related data of the infected employees to the public authorities will also be in accordance with the relevant provisions of the PDPL.