Turkish Personal Data Protection Board (“Board”) has published a public announcement on its website on March 27, 2020 regarding the Covid-19 outbreak which is declared as a pandemic by the World Health Organization. Accordingly, important points that should be considered on processing personal data, notably health data, are reminded.
In order to prevent the spread of the Covid-19 and to mitigate its effects, public institutions and organizations are taking various measures. In many cases where these measures are taken, it is inevitable to process many personal data such as identity number, name, address, job, travel information, health related data, etc.
Pursuant to Board’s announcement, data controllers must ensure the protection of personal data in these extraordinary conditions. Measures to be taken during the outbreak must be in accordance with general principles stipulated by Personal Data Protection Law (Law No. 6698). The decisions taken by data controllers in this regard should be within the guidance and instructions of public health institutions, especially the Ministry of Health, or other relevant institutions and organizations. Moreover, data controllers must inform the data subject regarding the type of measure, purpose of processing personal data and for how long it will be stored, and besides personal data must be processed only if it is mandatory.
The Board has stated that within the context of preventing the spread of the COVID-19, all necessary administrative and technical measures should be taken to ensure the protection of personal data. The processed data should not be disclosed to any third party unless there are acceptable justifications, and over processing of personal data must be avoided.
There are various periods determined both in the Law and relevant legislation relating to the complaints, notices and data breach notifications submitted to the Board within the scope of the legislation on the protection of personal data. The Board has highlighted the importance of compliance with these periods by data controllers.