The personal data of individuals is protected by Law on the Protection of Personal Data (Code No: 6698) in Turkey. This Law regulates the obligations of real and legal persons who process personal data and also the procedures and principles that they will comply with during the processing of personal data. Under this Law, health and travel data of employees or visitors are in the scope of special personal data. Therefore, employers will be considered as data controllers if they process this data.

Under Article 6/1 of the Law on the Protection of Personal Data No. 6698, the health data of the individuals are special personal data. Under Article 6/3 of the Law, personal health data can be processed by individuals or authorized institutions and organizations without the explicit consent of the relevant person to protect public health. However, except for special exceptions in article 6/3 of the Law, it is forbidden to process special personal data, under article 6/2 of the Law, without the explicit consent of the persons concerned. As the article 6/3 of the Law No. 6698 regulates a minimal scope, the field of application in practice is limited. Therefore, the employer’s request and processing of personal health data from employees and visitors based on these articles may be restricted in practice and will not be appropriate. Under article 5/2 of PDPL, cases, where it is possible to process personal data without seeking explicit consent of the relevant persons, are regulated. Matters covered by this article may find application in employers processing personal data to protect against the epidemic. Under the article 5/2/ç of the Law, if the data is obligatory to process, that the data controller can fulfill his legal obligation, this data can be obtained and processed without seeking the explicit consent of those concerned. Therefore, employers can identify and process the personal data without the permission of their employees and visitors to ensure occupational health and safety at the workplace, so that they can fulfill their obligations under the Occupational Health and Safety Law No. 6331. However, in this case, the employer must obey the procedures and principles in article 4 of the relevant Law. In this context, after evaluating other methods to ensure occupational safety and health at the workplace, it should be decided that it is compulsory to obtain personal data. Personal data received and processed should have a relation to the purpose for which they prepared, and the information that is processed should be proportional. Data controllers should process this information to a limited, sufficient, and necessary extent. Therefore, the receiving and processing of this information should be minimized as much as possible. In this context, for example, employers can request information about whether their employees have recently traveled abroad. The fever of the employees before they were entering the workplace can be measured. However, for instance, requiring information from employees such as where they travel abroad or where they are, will exceed the scope allowed by Law. The cases to be exempted from the implementation of the Law are listed in Article 28 of the Law on the Protection of Personal Data No. 6698. Under Article 28 of the Law, it is possible to process personal data for purposes such as national defense, national security, public security, and public order. Therefore, processing of personal data by authorized public institutions and organizations are exceptions to prohibitions to the processing of personal data. In this context, it may be necessary for employers to share the processed information with the institutions that are under the “obligation of secrecy” and authorized by the Law to ensure public security under article 6/3 of the Law.

Employers and persons authorized by employers for these activities should inform the employees and visitors whose personal data are processed. Under Article 10 of the Law, the data controller has a responsibility to enlighten the related persons during or after these activities regarding the activities of obtaining personal data made with or without consent. Therefore, data controllers should inform the concerned people about the data processed. Moreover, according to Article 11 of the Law, people whose personal data are processed have the right to receive information about this data. Under this article, employees and visitors whose personal data are processed may request information from their employers or authorized persons about the processed data. According to Article 7 of the Law, if the reasons requiring the processing of the information disappear, the persons whose data is processed have the right to request the deletion of this information. Therefore, employees and visitors whose information is processed may request their personal information to be deleted from their employers if the epidemic disappears or is no longer dangerous. The deletion of this data is also obligatory to the data controllers provided that provisions of other laws relating to deletion, destruction, and anonymization of personal data are reserved. Under Article 12 of the Law,  the data controller should take all necessary technical and organizational measures for providing an appropriate level of security to prevent personal data from being processed unlawfully, to prevent unlawful access to personal data, and to ensure the protection of personal data.

The information received and processed under the relevant provisions of the Law on Protection of Personal Data and the applicable provisions contained in other laws are not against the Law. Therefore, employers have to obey the issues we mentioned while receiving and processing the information of their employees and visitors.

Lawyer Tuba Kızılkaya