In Turkey, 2021 continued to be dominated by the COVID-19 pandemic and the various legal difficulties and ambiguities that it brought. This raised several questions on how to apply the Turkish data protection law and related legislation, in particular about how to properly process data on health, vaccination status, and PCR tests.
While the Turkish Data Protection Board (Board) passed various decisions in 2021, they generally did not result in the final resolution of the above issues. Conversely, while the Turkish government did publish decrees and letters impacting this area, it remains unclear how the provisions of these decrees and letters should be interpreted together with the provisions of the law.
The following is a summary of the main developments in the field of data protection in Turkey, in 2021.
Decisions of the Board
Unfortunately, during 2021 the Board did not publish any decisions or guidance on how personal data related to vaccinations and PCR tests should be kept, with the exception of one decision in which the Board found that various systems implemented by public authorities for the recording of personal data relating to vaccinations, PCR tests, and infection status were outside the scope of the law. Yet this decision, unfortunately, does not clarify if and how private entities may collect and process the same set of data.
The Board did, however, decide to extend the deadline for VERBIS registrations – the public data controllers’ registry in Turkey – until December 31, 2021. Registration with VERBIS is mandatory for various Turkish and foreign data controllers, and the extension of the registration obligation prevents entities that have not complied with this obligation, also due to the difficulties brought about by the pandemic, from being subject to sanctions.
Decrees and Governmental Orders
There is currently a decree and an official letter in force, published by governmental authorities in Turkey, on the data protection implications related to COVID-19.
The decree in question was issued by the Ministry of Interior and requires all individuals to show their HES Code (HES Kodu), created using an app issued by the Ministry of Health, when entering public areas such as shopping malls, cinemas, and theaters. The HES code contains information on vaccination status, PCR tests, and whether the person has suffered from a COVID-19 infection in the last 14 days. The said letter was sent to all governors by the Ministry of Labor and Social Security. The letter succinctly states that, “beginning September 6, employers are authorized to require unvaccinated employees to submit to weekly PCR testing and to maintain records of vaccinated employees and those who submit weekly PCR test results.”
As mentioned, the processing of personal data by private legal entities continues to fall under the scope of the law, which provides strict rules for the processing of health-related data. Thus, the obligations imposed on employers by the above-mentioned letter could be considered as contrary to the law. Therefore, it is necessary to clarify, on the basis of precedents and decisions of administrative authorities, how these potentially contradictory issues are interpreted in Turkish legal practice.
Further Work
To conclude, the law, which is based on EC Directive 95/46, was a major step forward for the implementation of, and compliance with, data protection in Turkey. However, there is still a considerable need for development, especially as many questions remain largely unanswered due to the existing regulations and thus cause difficulties in the application and implementation of the law.
To this end, and in view of the problems mentioned, we expect the Board to clarify which persons (e.g., company doctors) are authorized to process health data on behalf of the employer, as mentioned in the above letter.
In addition, the Board should also clarify the exact conditions for the cross-border effects of the Law. This is important to determine the data controllers abroad who, as mentioned above, are required to register with VERBIS.
Finally, we expect the Board to publish a list of safe countries to which personal data can be transferred without explicit consent. This is an important issue, as Turkey hosts many subsidiaries of global companies. Accordingly, the publication of such a list should ease the cumbersome cross-border data transfer procedures that currently apply to these companies under the law.
By Sinan Abra, Head of Data Protection, Yalcin Babalioglu Kemahli in Cooperation with CMS
This Article was originally published in Issue 8.12 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.