Following the publication of the Ministry of Labor and Social Security's article on "Covid-19 Measures at Workplace" dated September 2, 2021, questions had risen on how employers should act as data controllers within the scope of the Personal Data Protection Law No. 6698 ("PDP Law"), in this direction, the Personal Data Protection Authority has published the "Public Announcement on the Practices Regarding Covid-19 PCR Test Results and Vaccine Information" dated September 28, 2021, and clarified some issues.

The pandemic virus, known as the COVID-19 pandemic or the Coronavirus pandemic, which has affected the whole world since December 20219, is one of the main issues that has especially been on the agenda of employers. With the vaccines developed during the pandemic process and the PCR tests, it has raised questions about how employers should take precautions, especially regarding workplace health and safety. In this regard, following the general letter of the Ministry of Labor and Social Security (“Ministry”) sent to the Governorships of all 81 provinces in Turkey on “Covid-19 Measures at Workplace” dated September 2, 2021, the “Public Announcement on the Practices Regarding Covid-19 PCR Test Results and Vaccine Information” by the Personal Data Protection Authority (“Authority”) dated September 28, some issues were able to be clarified.

Upon requests of an opinion from the Authority on how to proceed within the framework of the PDP Law, the Authority has deemed it appropriate to publish the relevant public announcement.

The relevant announcement primarily referring to the general letter published by the Ministry, subsequently mentions that the information regarding the health status of the individuals such as analysis, imaging, test, report, vaccination status is considered as health data, which is a special category of personal data pursuant to Article 6 of the PDP Law, and therefore, it is stated that the information in question should be processed in accordance with the processing conditions set forth in Article 6 of the PDP Law.

On the other hand, it has been stated that, in cases threatening public security and public order such as a pandemic, it should be evaluated within the scope of that Article 28/(ç) of the PDP Law, which is an exception for the processing of personal data within the scope of the activities carried out by the public institutions and organizations authorized by law, in order to eliminate this threat and to prevent the contagiousness of the pandemic.

Accordingly, in order to prevent the spread of the disease caused by Covid-19 threatening public security and public order, it has been provided that there is no obstacle to processing Covid-19 vaccine information and/or negative PCR test information within the scope of preventive and protective activities carried out by public institutions and organizations  under the aforementioned article, therefore, the said personal data processing activities can be carried out in accordance with Article 28/(ç) of the PDP Law, however, the personal data processing activities that are outside of or exceed the activities for the purpose of protecting public security and public order carried out within the scope of the Covid-19 pandemic are considered within the scope of the PDP Law.

As a result, within the scope of preventive and protective activities carried out by public institutions and organizations, there is no obstacle to the processing of Covid-19 vaccine information and/or PCR test information with negative results in order to prevent the spread of the disease due to the threat of public safety and public order. It is understood that personal data processing activities other than or exceeding the activities for the purpose of protecting the public order should be carried out in accordance with Article 6 of the PDP Law.