The Law No. 6698 on the Protection of Personal Data ("PDPL") It came into effect on April 7, 2016, and contains regulations related to the processing of all kinds of information concerning identified or identifiable individuals. Companies that have the status of data controllers under the PDPL are obliged to process data in accordance with legal principles and ensure the security of the personal data processed. In this regard, the compliance of the measures to be taken due to the COVID-19 virus pandemic with the obligations set forth in the PDPL will be explained in detail below.
After the World Health Organization declared the COVID-19 virus pandemic on March 11, 2020, various measures were taken by both public institutions and private companies to protect public health. During the process of taking necessary precautions, personal data such as name, surname, address, identification number, workplace, travel information, and health-related data may be processed. In this context, personal data processing activities carried out within the scope of the measures taken against the COVID-19 virus should be necessary, purpose-related, limited, and proportional. Therefore, care should be taken to process only the essential personal data to identify infected individuals and to avoid collecting any unnecessary data in accordance with the principle of data minimization.
As stated in the public announcement made by the Personal Data Protection Authority, personal data must be processed in accordance with the conditions specified in Articles 5 and 6 of the KVKK Law during this period. In this framework, especially regarding the processing of health data, it may be preferred to obtain the employee's consent. However, considering the speed of the spread of the pandemic, it has been noted that the employee may voluntarily report illness. In cases other than explicit consent, it has been stated that health data can be processed by workplace doctors.
It is important for data controllers and data processors to ensure that activities involving the processing of individuals' health data and other personal data are carried out in accordance with the provisions of the KVKK Law. Additionally, necessary administrative and technical measures must be taken to ensure data security. The data of affected individuals should not be disclosed to any third party without a clear and mandatory justification.
Data controllers should inform employees about the cases. When providing information, care should be taken to avoid disclosing individuals' names and providing excessive information. In cases where it is necessary to disclose the name of the infected employee(s) for protective measures, it would be beneficial for data controllers to inform the relevant employees in advance about this matter.
Additionally, the Board has reminded that, as part of the administrative and technical measures to be taken for workplaces operating remotely during this process, it is essential to minimize the risks arising from remote work. This includes ensuring secure communication protocols for data traffic between systems, making sure there are no vulnerabilities, and ensuring that antivirus systems and firewalls are up to date. All necessary measures should be taken, and employees should be carefully informed about the security of personal data.
If you have any questions regarding the topic, please do not hesitate to contact us.
