Site Search Site Search

Menu

Media

Menu

Career

Loading Results

Personal Data Protection Practices in Turkey under the Light of Covid-19 Outbreak

Covid-19 outbreak has been declared as pandemic by the World Health Organization. Thereof, an evaluation on data privacy perspective has become necessary within the scope of Turkish Personal Data Protection Law no. 6698 (“LPPD”). In addition to the measures taken countrywide due to Covid-19 outbreak, data controllers have also started to take specific precautions in order to ensure the health of their employees, customers, visitors and business partners.

Although companies have implemented additional measures due to Covid-19 outbreak, it is still necessary for the companies to consider the personal data protection legislation while processing personal data. Since the Personal Data Protection Authority has not issued any specific regulation regarding the Covid-19 outbreak, personal data processed in this context should still be subject to the provisions set forth in the LPPD and other applicable legislation.

Recent Practices

It became usual practice for the data controller companies to implement additional measures in terms of Covid-19 outbreak. Within the scope of these measures; employees, visitors, customers, business partners are expected to fill out some forms before entering the workplaces of the data controllers. These forms include questions such as whether the person has travelled abroad in the last 14 days, whether he has symptoms related to Covid-19 and whether his relatives have traveled to places where the pandemic was intense. Besides, some companies may also prefer to measure body temperatures at the entrance of the workplace.

Considering that the employees work together in closed environments, it is necessary for the employer to follow up with the information about the travel details of employees. In this context, it should be accepted that the information on the travel details of the employees may be monitored regularly in order to ensure the health and safety of the workplace.

Receiving confirmation from the data subjects can be considered a reasonable measure in line with the LPPD in terms of both the Occupational Health and Safety legislation and public interest concept under the Turkish Constitution numbered 2709 (i.e. having confirmation from the data subject whether he/she got in close contact with his/her relatives who traveled abroad within the last 14 days). However, the specific travel destination should not be asked to the data subjects. The risky destinations should be explicitly indicated by the data controller and the question should be limited to obtaining confirmation as to whether he/she has travelled to such destinations. In addition, it is recommended to implement these texts as a part of the workplace entry rules, rather than as a separate declaration to be provided by the data subject.

Although these questions aim to ensure community’s health, it is necessary to take into consideration the conditions for processing health data under the LPPD before processing health data. Health data can be exemplified as whether the data subject carries Covid-19 disease or symptoms, his/her body temperature, a detailed health report, whether the person has been quarantined.

Firstly, it should be evaluated whether Covid-19 risk can be determined without collecting health data. Since processing health data is subject to strict regulations under LPPD, it is recommended to proceed without collecting health data, if possible.

Privacy Notice and Explicit Consent Obligations

Within the scope of personal data processing activities mentioned above, data controllers must fulfill their obligation to provide privacy notice as per Article 10 of the LPPD. Privacy notice should be provided to the data subject at the place where personal data is received by the data controller (e.g. filling out a form at the facility entrance).

If health data is not collected and if the scope of the questions asked to the data subject is limited with the confirmation on traveling to risky regions and/or their relatives doing so; data controllers will not be obliged to obtain explicit consent. These circumstances can be considered within the framework of the Turkish Constitution and Occupational Health and Safety legislation. Accordingly, such personal data processing can be carried out by way of serving a privacy notice and without obtaining a consent based on the legal reason of “Explicitly regulated in the laws” foreseen under Article 5/2 (a) of LPPD. However, if the data controller will ask further questions to the data subject, such as the names of his/her relatives who travelled to risky destinations abroad in the last 14 days, such circumstance should be evaluated separately under the LPPD.

If processing health data is considered vital in order to reduce the risk of pandemic and if the data controller decides to collect health data, it is recommended to the data controller to proceed with one of the methods below:

-        Pursuant to the Article 6/3 of LPPD, only persons or authorized institutions who are under the obligation of confidentiality is entitled to process health data without the explicit consent of the data subject, if processing is for protecting public health, executing preventive measures, issuing medical diagnosis, giving treatment and care services, planning and managing health services and financing. In this context, health data should be processed through workplace doctors provided that only workplace doctors will have access to such data.  

-        If it is not possible to process health data limited with the access of the workplace doctors, explicit consent of data subjects should be obtained as per Article 6/3 and Article 5/1 of the LPPD.

Transfer of Personal Data

Due to the Covid-19 outbreak, employers may be entitled to transfer employees' personal data with public institutions and organizations. Pursuant to the Article 28/1 (ç) of the LPPD, the LPPD will not be applicable if personal data is processed within the scope of preventive, protective and intelligence activities carried out by the public institutions and organizations authorized by law to provide national defense, national security, public security, public order or economic security. In this context, public institutions and their personnel will not be subject to the provisions of the LPPD while processing personal data.

Employers may transfer personal data, other than health data, in line with the requests of the public institutions and organizations within the legal reason of “Fulfillment of the legal obligation” foreseen under Article 5/2(ç) of the LPPD. However, transferring health data will only be lawful under Article 6/3 of the LPPD, (i) if the request is made by a hospital, medical center or similar institution or (ii) in the presence of an explicit consent provided by the data subject.

Additional Measures to Be Taken

In addition, personal data and sensitive personal data processed due to the Covid-19 outbreak should only be stored for the required period and then destroyed in accordance with the Regulation on the Deletion, Destruction or Anonymization of Personal Data.

Personal data and sensitive personal data processed due to the Covid-19 outbreak should be processed in accordance with the principles under Article  4 of the LPPD. Within the scope of the principle of proportionality and data minimization, processing activities taking place due to additional measures should be limited with the purpose of processing and should not exceed the purposes to be achieved. In this context, the name and surname of the person infected by Covid-19 should not be shared with anyone, even for informational purposes. As a matter of fact, since such transfer may be approached as discrimination, it may be deemed contrary to the LPPD. Instead, information to be shared in order to prevent the risks caused by the Covid-19 outbreak should be anonymous.

In addition, data controllers should carry out all personal data processing activities by taking the necessary administrative and technical measures to ensure the appropriate level of security. The first of these measures is to limit access of such personal data only within the required scope.

In the upcoming days, the decisions and guidelines to be published by the Personal Data Protection Authority regarding the Covid-19 outbreak should be closely followed up and personal data processing activities should be carried out accordingly.

NOTE: When you receive this bulletin, the information contained in the bulletin may be out of date due to current legislative changes announced by public institutions and organizations.

Follow us
Home Law Privacy Statement External service providers Legal Disclaimer Cookies information Owner of the Web Site
About Us Our Team Contact Us Career Get In Touch
Our Services
Corporate and Commercial Law Mergers and Acquisitions Labour Law Protection of Personal Data Other Services
Tax and Customs Dispute Resolution Finance Law Family Businesses Structuring
Our Industry Expertise Banking and Capital Markets Energy and Mining Real Estate and Construction Automotive Retail and Consumer Products Insurance Transportation and Logistics Telecommunication and Media
Media

© 2025 PwC. Gündüz Şimşek Gago Attorneys at Law All rights reserved.
"GSG Attorneys at Law" refers to "Gündüz Şimşek Gago Attorneys at Law”