WAYS TO PROTECT THE PERSONAL DATA OF THE PATIENTS WITH CORONAVIRUS (COVID 19) IN TURKEY
Coronavirus (“Covid-19”), which first appeared in Wuhan, People’s Republic of China, and then spread all over the world and announced as a pandemic (“Epidemic”) with the statement of the World Health Organization dated March 12, 2020, and the number of people who infected and died due to this disease increases day by day.
Since the first case announced on 11 March 2020 in our country, the epidemic has spread rapidly (23 March 2020) and the number of people caught the virus has reached 1256 and the death toll has reached 30.
The coronavirus epidemic has faced governments, public institutions, and private sector organizations around the world with the imperative to take measures to control and prevent the spread. This brought up the processing of different types of personal data by relevant institutions and organizations.
Within the scope of the precautionary measures, there is the possibility of processing personal data, especially data concerning the health of employees or third parties. While taking these measures, legislation regarding the protection of personal data should be taken into consideration and violations of this legislation should also be avoided. Otherwise, the relevant institutions and organizations will face administrative fines within the scope of the Turkish Personal Data Protection Law (“KVKK”) and criminal sanctions if the act complies with the criminal definitions in the Turkish Criminal Code.
In our country, the Personal Data Protection Authority has issued a public opinion announcement regarding the making of the complaints, data violation notifications and the application of registration to VERBİS via e-mail, mail, cargo or related modules or KEP; however, the Authority did not make any announcements about the path that the data controller should follow due to the coronavirus outbreak.
The European Data Protection Board (“EDPB”) has provided a statement on the processing of personal data in the context of the Covid-19 outbreak on 16 March 2020. In this statement; while it was stated that the fight against infectious diseases is a valuable target shared by all nations and should be supported, it was emphasized that even in these extraordinary times, the data controller should protect the personal data in accordance with the law.
In order to prevent the spread of the Covid-19 virus in our country, a call to “stay at home” was made. Within the scope of this call, working from home has come to the agenda of the organizations or many organizations decided to temporarily stop their activities. Despite this situation, it may be necessary to process certain personal data within the scope of measures to be taken by the competent public authorities and all employers in order to prevent the epidemic. In the current circumstances, some of the issues that a company/organization as a data controller will give attention are set out in this blog.
Personal data and special categories of personal data concepts according to KVKK
Under article 3 of KVKK, personal data is defined as “Any information relating to an identified or identifiable natural person”. And under article 6 of KVKK, special categories of personal data is defined as “Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of an association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometrics and genetics”. Therefore, data concerning health is special categories of personal data.
Processing conditions of the special categories of personal data
Special categories of personal data can only be processed provided that the explicit consent of the data subject. Special categories of personal data, other than personal data concerning health and sexual life, may be processed without obtaining the explicit consent of the data subject if the processing is permitted by any law. Personal data concerning health and sexual life may only be processed without obtaining the explicit consent of the data subject for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing by persons under the obligation of secrecy or authorized institutions and organizations.
Data Controller’s Obligation to Inform
According to article 10 of the KVKK, the data controller or the person it authorized is obliged to inform the data subject during the acquisition of personal data for each data processing activity.
The illumination to be performed by the data controller should include the identity of the data controller, the purposes for which personal data will be processed, the methods of obtaining personal data, the persons to whom processed personal data might be transferred and the rights of the data subject.
Within the scope of the measures taken due to the coronavirus, if the data concerning health is processed during the implementation of these measures, the responsibility of the data controller continues to inform the data subjects/employees.
Processing of the personal data concerning health
Processing by persons under the obligation of secrecy or authorized institutions and organizations
Personal data concerning health may only be processed without obtaining the explicit consent of the data subject for purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing by persons under the obligation of secrecy or authorized institutions and organizations. In this regard, special categories of personal data concerning health can be processed by people who are obliged to keep secrets, such as doctors, nurses and healthcare personnel, without the explicit consent of the data subject.
Processing of data concerning the health of employees
According to the Occupational Health and Safety legislation, employers are under an obligation to protect and observe the employees, to take and implement occupational health and safety measures, and to provide a healthy and safe working environment. In this regard, employers have a legal obligation to protect the health of their employees and employers are required to take opinions from workplace doctors and occupational safety specialists regarding the effects and prevention of the outbreak and evaluate the measures to be taken by the occupational health and safety boards. These measures can be for employees, customers or visitors. Therefore, in the current circumstances, the data concerning the health of employees, customers or visitors may be processed for employers.
When it comes to the processing of data concerning health due to the coronavirus epidemic, explicit consent of the employees is essential. If the employee does not give explicit consent, the data concerning the health of the relevant employee cannot be processed. Since the obligation to demonstrate that explicit consent has been obtained lies with the controller, explicit consent must be obtained in writing.
In the workplace, data concerning health can only be collected through the workplace doctor, except for the explicit consent of the employee. The data concerning health collected by the workplace doctor should be processed by taking the necessary administrative and technical measures. Due to the coronavirus epidemic, it is lawful for the workplace doctor to carry out health checks for employees other than periodic examinations, and it is also important for preventing the spread of coronavirus diagnosis and detection. In the context of measures taken in the workplace, in order to prevent the spread of epidemic disease, if the data concerning health is processed through workplace doctor, the data subject is only liable to inform their employees. No explicit consent is required from the employee, as data concerning health is processed by the workplace doctor, who is under the obligation to keep secrets.
However, the employer should not be able to access the data concerning health to be kept in the worker’s health file by the workplace doctor. Otherwise, the employer is obliged to obtain the explicit consent of the employees as well as the obligation of illumination.
The data concerning health collected by the employer on the basis of explicit consent or through the workplace doctor should not be shared and transferred with other persons without the reasons for compliance with the provisions set out in KVKK. Otherwise, there may be administrative fines in accordance with KVKK for the relevant data controller. Employers should inform their employees about coronavirus cases, but they should not share more information than necessary.
For example, how can the information that the worker be quarantined be evaluated?
Quarantine data is personal data that can be considered as a data concerning health in a broad sense, and when the data related to quarantine is shared with the employer, it is appropriate to share this data with other employees as much as necessary in order to protect the privacy of the employee concerned. In other words, it is appropriate to anonymize the data related to quarantine and share it with other employees.
What should be done in terms of personal data of employees whose coronavirus test is positive or who show related symptoms?
Within the workplace, the employee whose coronavirus test is positive should be directed by the workplace doctor. Organizations that do not have a workplace doctor should also manage the process through a doctor or authorized institution. In this case, as in quarantine data, personal privacy must be protected.
Additional administrative and technical measures should be taken in order to process the reports or test results of the employees who have positive coronavirus test from authorized institutions and these should be processed through workplace doctors.
Rights of Data Subject
The rights of the data subject are stipulated in article 11 of KVKK. Accordingly, the data subject has the right to;
- a) Learn whether or not her/his personal data have been processed;
- b) Request information as to processing if her/his data have been processed;
- c) Learn the purpose of the processing of the personal data and whether data are used in accordance with their purpose;
ç) Know the third parties in the country or abroad to whom personal data have been transferred;
- d) Request rectification in case personal data are processed incompletely or inaccurately;
- e) Request deletion or destruction of personal data within the framework of the conditions set forth under article 7 of the Law;
- f) Request notification of the operations made as per indents (d) and (e) to third parties to whom personal data have been transferred;
- g) Object to occurrence of any result that is to her/his detriment by means of the analysis of personal data exclusively through automated systems;
- ğ) Request compensation for the damages in case the person incurs damages due to unlawful processing of personal data
by applying to the data controller. Therefore, those whose data concerning health are processed may make the above requests according to the concrete event.
According to article 17 of KVKK, with respect to crimes relating to personal data, provisions of articles 135 to 140 of the Turkish Criminal Code numbered 5237 shall apply. Accordingly, pursuant to article 135 of the Turkish Penal Code, any person who unlawfully records the personal data shall be punished with imprisonment from six months to three years and in case the data is special categories personal data, the sanction shall be increased by half.
Pursuant to article 18 of KVKK, to the data controllers who do not fulfill;
- a) Obligation to inform stipulated in article 10 of this Law, an administrative fine of 5.000 Turkish liras to 100.000 Turkish liras;
- b) Obligations regarding data security stipulated in article 12 of this Law, an administrative fine of 15.000 Turkish liras to 1.000.000 Turkish liras;
shall be imposed.
As a result;
Within the framework of the above-mentioned issues, while processing personal data due to the coronavirus outbreak, the principles of data processing should be respected as required and proportionally at each stage.
It is not possible to say that personal data can be processed in an unlimited way in terms of measures taken / to be taken within the scope of combating coronavirus outbreak. And, especially the special categories personal data including the data concerning health may not be processed without providing the explicit consent requirement except for the exceptions specified in the legislation.