Due to the COVID-19 pandemic, employers are requesting various information from their employees and visitors to the workplace to ensure occupational health and safety in the workplace. This includes information such as the current health status of employees, the people they are in contact with, and their recent travels.
Due to the COVID-19 pandemic, employers are requesting various information from their employees and visitors to the workplace to ensure occupational health and safety in the workplace. This includes information such as the current health status of employees, the people they are in contact with, and their recent travels. Measuring the body temperatures of employees and visitors, detecting body temperatures with cameras, various scanning methods and recording this information with these scanning methods are among the activities carried out for preventive purposes. In this context, whether there is an existing restriction on the detection and processing of personal data of employees and whether these activities will cause a violation of the law are among the issues that have been investigated recently. Therefore, it would be useful to evaluate this issue.
In Turkey, personal data is protected by Law No. 6698 on the Protection of Personal Data. This law regulates the obligations of natural and legal persons who process personal data and the procedures and principles to be followed during the processing of personal data. Pursuant to this law, health and travel data of employees or visitors are within the scope of special categories of personal data. Therefore, employers will also be considered as data controllers if they process this data.
Pursuant to Article 6/1 of the Law No. 6698 on the Protection of Personal Data, health data of individuals are special categories of personal data. Pursuant to Article 6/3 of the Law, it is possible to process personal health data for the purpose of protecting public health by persons under the obligation of confidentiality or authorized institutions and organizations without seeking the explicit consent of the data subject. However, except for the special exceptions in Article 6/3 of the Law, it is prohibited to process special categories of personal data without the explicit consent of the data subjects pursuant to Article 6/2 of the Law. Article 6/3 of the Law No. 6698, on the other hand, is regulated in a very limited scope and therefore has a very limited application area in practice. Therefore, the employer’s request and processing of personal health data from employees and visitors based on these articles will be limited in practice and will not be appropriate. Pursuant to Article 5/2 of the LPPD, the cases where it is possible to process the personal data of the data subjects without seeking their explicit consent are regulated. The cases within the scope of this article may find application in the processing of personal data by employers to protect against the pandemic. Pursuant to Article 5/2/ç of the Law, if the processing of such data is mandatory for the data controller to fulfill its legal obligation, such data may be collected and processed without seeking the explicit consent of the data subjects. Therefore, employers may identify and process this information without obtaining the consent of their employees and visitors in order to ensure occupational health and safety at the workplace, which is their obligation under the Occupational Health and Safety Law No. 6331. However, in this case, the employer must act in accordance with the procedures and principles in Article 4 of the relevant law. In this context, it is necessary to decide that the collection of personal data is mandatory after evaluating whether other methods can be taken to ensure occupational safety and health in the workplace. The personal data collected and processed must be relevant and proportionate to the purpose for which they are processed. This information should be processed to a limited, sufficient and necessary extent. Therefore, the collection and processing of this information should be minimized as much as possible. In this context, for example, employers may request information from their employees about whether they have recently traveled abroad. They may take their employees’ temperature before they enter the workplace. However, requesting information such as, for example, where their employees have traveled abroad or where their employees have been would exceed the limits permitted by law. Article 28 of the Law No. 6698 on the Protection of Personal Data lists the cases that may be exempted from the application of the law. Pursuant to Article 28/ç of the Law, it is possible to process personal data for purposes such as national defense, national security, public security, public order. Therefore, the processing of personal data by authorized public institutions and organizations can be considered as one of the exceptions to the protection of personal data processing. Pursuant to Article 6/3 of the Law, employers may also be required to share the processed information with institutions under “confidentiality obligation” authorized by law in order to ensure public security.
Employees and visitors whose personal data are processed must be informed by employers or persons authorized by employers for these activities. This is because, according to Article 10 of the Law, the data controller or the person authorized by the data controller has the responsibility to inform the data subjects during or after these activities regarding the activities of obtaining personal data with or without consent. Therefore, data controllers are required to inform data subjects about the processed data. Moreover, according to Article 11 of the Law, the persons whose personal data is processed have the right to receive information about this data. Pursuant to this article, employees and visitors whose personal data are processed may request information about their processed data from their employers or authorized persons. According to Article 7 of the Law, in the event that the reasons requiring the processing of the information disappear, the persons whose information is processed have the right to request the deletion of this information. Therefore, employees and visitors whose information is processed may request their employers to delete their personal information in the event that the epidemic situation disappears or no longer poses a danger. The deletion of this information is also the obligation of data controllers, without prejudice to the provisions of other laws regarding the deletion, destruction or anonymization of personal data. According to Article 12 of the Law, the data controller is obliged to take all kinds of technical and administrative measures to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure the preservation of personal data. Therefore, employers are required to take all kinds of measures to ensure that the processed data is processed in accordance with the law.
Information received and processed in accordance with the relevant provisions of the Law on the Protection of Personal Data and the relevant provisions of other laws is not unlawful. As of 24.03.2020, when this article was written, no regulation has been made regarding the protection of personal data that specifically extends the exceptions in the provisions of the Law on the Protection of Personal Data to the coronavirus outbreak process. Therefore, employers are required to act in accordance with the issues we have mentioned when receiving and processing the information of employees and visitors. The processing of personal data carried out in compliance with these issues does not constitute a violation of the law.
