Correct as of 16:30, 17 April 2020. This article is not being maintained.
The continuing spread of the COVID-19 pandemic has resulted in employers taking extensive measures to contain the pandemic. For employers with white-collar employees, one such measure has been to implement a home working structure to avoid contagion in the workplace.
On the other hand, employers that run production facilities or act in sensitive industries (e.g. pharmaceuticals, telecoms, banking) continue to keep their facilities open and to operate from their customary workplaces. In the face of this pandemic, these employers are now obliged to implement additional health and safety measures to protect the wellbeing of all their employees as per the Turkish occupational health and safety legislation, to the processing and disclosure of sensitive health data of their employees.
Further, to the extent that any health and safety measures implemented by employers involve the processing of employee data, this will trigger the application of the Turkish Data Protection Law ("Law") and any such processing will need to comply with the principles therein. This is especially true for categories of data regarded as sensitive data under the Law, (e.g. health data) whose processing is subject to stricter conditions under the Law compared to ordinary personal data.
Accordingly, we list below several data protection issues for employers to consider when implementing additional health and safety measures in their workplaces:
Actions to Take Before Collecting Personal Data
As per the provisions of the Law, employers are, at any rate, obliged to inform their employees with respect to the employer's data collection and processing practices. This would include, without limitation, any data processing occurring due to the implementation of health and safety measures and would usually be done via a privacy notice (aydınlatma metni) delivered to the employees.
In this regard, to the extent such an information obligation has not already been fulfilled or it is fulfilled only partially, the employer must once again inform the employee of its data processing activities, arising especially due the processing of any sensitive personal data (e.g. health data) if such data shall be collected as part of the measures implemented by the employer against the COVID-19 pandemic (e.g. checking employees' fever).
As such, a brief due diligence with respect to the employer's data processing activities and whether the employer has duly undertaken its information obligations should be made and if necessary, a new privacy notice should be prepared and delivered to the employees.
Administrative and Technical Measures
The employer must procure that it has in place sufficient administrative and technical measures to protect the personal data collected during the COVID-19 pandemic. To the extent that sensitive data is collected, then, the measures for the safekeeping of such data must be determined accordingly, especially taking into account the decisions of the Turkish regulatory authority (Turkish Personal Data Protection Authority) in this respect.
To this effect, it would be advisable to obtain advice from qualified service providers (e.g. legal and information technologies) to procure that such measures are duly implemented without impeding the business of the employer.
Principles to Observe During the Collection of Personal Data
In general, employers processing additional personal data due to the COVID-19 pandemic must remember that they will continue to be bound by the proportionality and minimization principles under the Law. Therefore, employers must refrain from obtaining any personal data that is irrelevant to the COVID-19 pandemic or is at any rate excessive. Whether the data collection practices of an employer comply with these principles would need to be assessed on a case-by-case basis.
Where the processing of sensitive data such as health data is in question, employers must remember to involve qualified personnel in this respect and to implement additional measures to protect such information.
Whereas for the collection of certain ordinary personal data (e.g. travel information relating to the employee), employers must base their processing on the correct legal basis (e.g. legal obligations or legitimate interest) and proceed to processing on this basis. The correct basis for each processing must be determined on a case-by-case basis.
Disclosure and Transfer of Sensitive Data
Turkish law obliges all employers to report any contagious diseases occurring at their workplace to the relevant public authorities. As such, if an employee tests positive for the COVID-19 virus, then the employer in question, as a matter of law, will need to transfer the health data of that employee to the public authority in question. The Turkish regulatory authority has also confirmed that such transfer should be compliant with the provisions of the Law.
Disclosure and Transfer to other Third Parties
In general, any data collected must only be made available to the authorized personnel of the employer and must not be disclosed to third parties as this would be against the Law and could also result in discriminatory action against the employee in question by other employees/managers of the employer. Such discrimination against an employee may also give rise to employer's liability. Restricted third parties would also include any intra-group/parent companies even if the employer is pursuing certain interests by such transfer (e.g. evidencing loss of workforce to arrange intra-group loans). In such a case, the employer must anonymize such data for its processing purposes.
On the other hand, as part of its obligations under the occupational health and safety legislation, an employer will be obliged to inform its employees about a possible case of infection in its workplace. As such, if an employee shows symptoms of COVID-19, an employer should be able inform co-workers of this matter. However, this should be done in a restrictive manner and to the extent possible, the I.D. of an employee, who is possibly infected, should remain anonymous and should not be disclosed to co-workers.
Actions to Take Once Processing is no Longer Necessary:
Deletion or Destruction of Personal Data
Any personal data collected by the employer within the measures implemented against the COVID-19 pandemic must be duly deleted or destroyed once the COVID-19 pandemic is over. However, the employer may retain these records until an official announcement regarding the end of the pandemic has been made.
Although the world is going through difficult times and uncertainty due to the COVID-19 pandemic, employers must continue to comply with the laws in effect. This implies that certain additional occupational health and safety measures will need to be implemented, resulting in additional data processing, even if this is not desired by the employer. To avoid any risks arising from an undue processing of personal data, employers must organize their new processing activities in consideration of the relevant provisions of the Law and consider any decisions/announcements by the Turkish regulatory authority in this respect. Where necessary, it would also be advisable to obtain qualified advice to implement this new data processing regime.
For information on how we can assist you on complying with the new data processing obligations related to COVID-19, contact your regular CMS advisor or our local experts Dr. Döne Yalçin or Sinan Abra.