The Turkish Data Protection Authority ("DPA") has published an announcement on 28 September 2021 based on the decision of the Turkish Data Protection Board No. 2021/980, adopted on the same date.
The announcement sets out general principles to be complied with while fulfilling the measures applied by the Ministry of the Interior ("MI") and Ministry of the Labour and Social Security ("MLSS") in relation to Covid-19 PCR test result and vaccination information, and clarifies how the aforesaid measures should be interpreted as per Turkish Law No. 6698 on the Protection of Personal Data ("Law").
Measures taken by the MI and MLSS
On 20 August 2021, MI communicated to the 81 Provincial Governorships for execution, as well as to the relevant ministries for information, a notice letter on general Covid-19 measures required in public places and events for the purpose of ensuring public health. In this context, MI announced on its website that operators and/or organisers are supposed to ask visitors, as of 6 September 2021, at the entrance of events or public places, for their information on vaccination, recovery from Covid-19 (according to the period that is scientifically considered to provide immunity after Covid-19 infection), or negative PCR test provided maximum 48 hours previously. Since then, it has been underlined that if a given person has not had the disease, is not vaccinated, or does not have a negative PCR test, he/she will not be allowed to attend the event.
Likewise, by virtue of the writ sent by MLSS to the 81 Provincial Governorships on 2 September 2021, MLSS made an announcement about the PCR tests to be requested by employers from their employees and the information requirement of the employers about Covid-19 risks and precautions. Firstly, employers are reminded that they must inform their employees about the protective and preventive measures against the health and safety risks that may be encountered in the workplace, and employers are requested to inform in writing their employees whose Covid-19 vaccination has not been completed yet. As regards the vaccination status of employees, it has been clearly stated that, as of 6 September 2021, unvaccinated employees may be mandatorily requested by their employer to undergo a PCR test once a week, and the test results will be recorded at the workplace for necessary procedures.
DPA's assessment of the measures from a personal data protection perspective
The announcement published on the website of DPA describes the current situation within the framework of the writs issued by the MI and MLSS, and points out that information about the health status of individuals such as test, report and vaccination status shall be qualified as personal health data according to Article 6 of the Law and falls within the scope of sensitive personal data and therefore, shall be processed in accordance with the Law.
However, considering the effects of the Covid-19 epidemic on health, social life and the economy worldwide, the necessity of processing of Covid-19 related sensitive personal data such as PCR test results and vaccination status has been emphasised in order to protect public health, public security and public order.
In this respect, the DPA draws attention to Article 28 of the Law and reminds that, where personal data is processed within the scope of preventive, protective and informative activities carried out by the public institutions and organizations duly authorised and assigned by law to maintain national defence, national security, public security, public order or economic security, the provisions of the Law shall not be applied.
Accordingly, it has been mentioned that there is no obstacle to processing Covid-19 vaccine information and/or negative PCR test data within the scope of preventive and protective activities carried out by public institutions and organisations aforementioned in Article 28, with the intention of preventing the spread of the disease due to the threat of Covid-19 to public security and public order.
In conclusion, under the conditions stated in the announcements and official writs issued within the scope of Covid-19 measures, it is important to state that both public- and private-sector employers and workplaces can process and/or transfer the information on Covid-19 vaccination status and/or negative PCR test results as per Article 28 / 1(ç) of the Law, without considering the provisions of the Law. However, it should be noted that these exemptions are only valid for the enforcement of the Law, and other specific personal data protection requirements provided for in any other legislation, if any, shall continue to apply without exception. In addition, personal data other than the Covid-19 vaccine information and/or negative PCR test data as clearly stated in the announcement, should be processed in accordance with the provisions of the Law.
In compliance with Turkish bar regulations, opinions relating to Turkish law matters that are included in this client alert have been issued by Özdirekcan Dündar Şenocak Avukatlık Ortaklığı, a Turkish law firm acting as correspondent firm of Gide Loyrette Nouel in Turkey.
Click on the PDF below to download the Client Alert.