PERSONAL DATA PROTECTION AUTHORITY’S ANNOUNCEMENT REGARDING PROCESSING OF PCR TEST RESULTS AND VACCINATION DATA
We would like to inform you that the Personal Data Protection Authority (the “Authority”) (in Turkish, “Kişisel Verileri Koruma Kurumu”) has made a public announcement on 28 September 2021 on its official website regarding the implementation of Covid-19 PCR test results and vaccine information. In the announcement, the Authority has provided an evaluation regarding the processing of the Covid-19 PCR test results and vaccine information contained in its decision dated 28 September 2021 and numbered 2021/980 (the “Decision”).
According to the Decision; at worldwide, States are taking various measures to prevent the Covid-19 pandemic, the outbreak continues to spread rapidly with the effect of various variants, and Turkey has taken many precautions against this outbreak.
One of these measures is to request by way of a Communiqué dated 20 August 2021 to provincial governorships by the Ministry of Interior to obtain Covid-19 vaccine information or PCR test information from individuals who wish to participate in activities in places where it involves crowding.
In addition, with a letter dated 2 September 2021 that was sent to all provincial governorships, the Ministry of Labor and Social Security, stated that unvaccinated employees at the workplaces may be required to take PCR tests performed once a week as of 6 September 2021, and these results would be recorded at the workplaces.
It should be noted that Information regarding the health status of individuals, such as test results, reports, vaccination status, is in the nature of sensitive data in accordance with Article 6 of the Law on the Protection of Personal Data (the “Law”). Hence, the general rule is that such sensitive data should be processed in accordance with Article 6 of the Law.
According to the Decision, since the PCR test and vaccine information is processed in order to prevent the pandemic which is considered a threat on public order and security, the Authority evaluated that the processing of such sensitive data falls within the scope of article 28/1/ç of the Law. Accordingly, if the PCR test and vaccine information is processed within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations that have been authorized by law to ensure public safety and public order, this will be accepted as an exception to general rules of processing sensitive data set forth in the Law, provided that employers take security measures and abide by rules of confidentiality.
Keeping the above information in mind, we would like to draw your attention to transfer of this data abroad for any reason, including storing data at the servers located abroad. If subject sensitive data will be transferred abroad for any reason, we are of the view that the Board may decide this transfer cannot be accepted within the scope of public safety and public order activities. We therefore suggest that in such a case, the employers should continue to receive the explicit consent of the employee if a transfer will be made to any third parties even in Turkey (except for agencies authorized by public) and abroad.
On the other hand, there is also a contrary view that asserts such processing of sensitive personal data mentioned in the Announcement is applicable to only for public institutions and organizations under Article 28/1/ç and it would be contrary in any case to Article 6 of the Law to process sensitive personal data without first obtaining explicit consent of the relevant individual/employee in the private employment sector. Accordingly, it is argued that it should be processed in accordance with Article 6 of the Law for employers in private sector employment.
Our Law Firm remains at your disposal for any further clarifications you may need.