Processing of Covid-19 Vaccine and PCR Test Result Data of Employees by Employers

With the article published on September 3rd, 2021, by the Ministry of Labor and Social Security named as; “Covid-19 Measures in the Workplace” cleared the way for employers to request PCR tests from employees who have not completed their Covid-19 vaccines. According to this article, starting from September 6th, employers will be able to ask employees who are not vaccinated to provide a PCR test once a week. According to the article, not only will the employers be able to request a test, but also the test results will be recorded at workplace. The processing of this data is still being discussed and questions are being raised about how this process will be pursued within the scope of the protection of personal data.Ingilizce çevirisi.

May employers process the stated sensitive data within the scope of personal data protection?

According to the Personal Data Protection Law No. 6698 (“PDPL”) for employers to record employees’ vaccination data or PCR test results is defined as a data processing activity.

There is nothing to prevent the employers to process relevant data, provided that processing activity is in accordance with the PDPL personal data processing purposes and rules. The important question here will be for what purpose and for what benefit the data will be processed. The purpose should be presented transparently to the employees, and if the purpose of processing the data can be carried out without processing the relevant data, then the processing of the data shall be avoided. The purpose of an employer to ask for the employee’s vaccination information is to establish the workplace environment in a healthy way, to protect the health of other workers and thus to fulfill their obligations regarding workplace health and safety. In order to achieve this goal, it will be possible to process the vaccine information of the relevant employees and PCR test results when required.

In the public announcement published on the website of the Turkish Data Protection Authority (“Authority”) with the decision dated 28/09/2021 and numbered 2021/980 (“Announcement”); The Authority made statements in parallel with our assessments and stated that the processing of such test and vaccine information data is a sensitive data processing activity within the scope of the PDPL Article 6. The Authority also stated in the Announcement that related data processing activity may be evaluated within the scope of the exception in accordance with Article 28/(ç) of the PDPL. According to the Article in question, personal data processing carried out within the scope of activities carried out by authorized public institutions and organizations to ensure public safety or public order will be excluded from the scope of the PDPL. It is not clear in the Announcement whether this article is an exception only for Public Institutions and Organizations, or private sector can also benefit from it.

How should vaccine information and PCR test results be processed?

Vaccine information and PCR test results are accepted as data on the health status of the person and can only be processed based on the explicit consent of the employees due to the fact that it is of special quality data (“sensitive data”) according to the Article 6 of the PDPL.

The PDPL has also made an exception to the stated explicit consent provision. According to the provision, persons or authorized institutions and organizations that have a secrecy obligation, such as workplace physicians, will be able to process the health data without the explicit consent of the employee in case of protection of public health and other purposes listed in the article for the purposes on which vaccine information and PCR testing are based.

Although there is no clear limitation on the secrecy obligation here, it is still a matter of debate whether the persons who are under the secrecy obligation by contract will also be covered by the specified exception. Employers should consider the security measures they must comply with in accordance with the PDPL and the decisions of the Authority as data controllers, if possible, data processing should remain only allowed to workplace physicians who are under the obligation of secrecy, and this access should be restricted if other persons in the workplace that request access to this data.

Could explicit consent of the employee be a basis on processing of the data?

Employees’ explicit consent which given to their employers in the processing of their personal data whether is given by “free will” or not is still a matter of debate in all countries. However, there is no obstacle to the processing of most data processing activities on the legal basis of explicit consent of the employee if the conditions specified in the PDPL are met. Therefore, it is possible to obtain the employee’s explicit consent freely regarding the processing of vaccine information and PCR test information, and for the employee to share this information with the employer of his own volition. In the debate over whether explicit consent is based on free will; In our opinion it is not accurate to consider that the consent of the employee cannot be accepted and invalid for every case as a result of the relationship of subjectivity between the employee and the employer.

The processing of personal data is not the only situation in which the consent of employees is sought in our legislation, altering the working conditions in a significant way, carrying out the usual overtime work, working on national holidays and general holidays, and reducing the wage are also situations that requires consent of the employee. As a result of the relationship of subjectivity between the parties, there is no automatic conclusion that the employee’s consent will be invalid, and if the will of the employee is considered to be invalid, the employee must prove the invalidity.

As a result, in debate whether explicit consent is given by free will or not; if the employee claims that his/her consent for the processing of health data is invalid and that this consent was obtained by force, employee will be obliged to prove this claim with concrete evidence. Therefore, the validity of the explicit consent given by the employee must be accepted until proven otherwise.

However, it should be duly noted that in the decisions of the Authority regarding the employee-employer relationship, the free will of the employee will be damaged in cases where the opportunity not to give consent to the employee is not presented effectively or where not giving the consent will cause a possible negativity for the employee, as a result herein data processing cannot be based on explicit consent. Therefore, it will be convenient for employers to present the information to their employees in the most transparent way, to give them the assurance that they are not obliged to give consent and that they will not face any negative consequences as a result of not giving consent.

Should employers process relevant data from each employee?

The collection of the data to be processed from each employee may not be in accordance with the purpose of collecting data of employers. Since the purpose of the employer to ask the employee’s vaccination information and PCR test results is to establish the workplace environment in a healthy manner, to protect the health of other workers and thus to fulfill their obligations regarding workplace health and safety, it would be contrary to the purpose of collecting the data; to ask for the test results of an employee who is working from home as a requirement of its job.

Therefore, employers should conduct a review for each employee or department and request the data of their employees for the extent which is necessary and in accordance with the purpose.

The Covid-19 pandemic and how to proceed in terms of vaccination activities are rising certain issues along with it. There is still no clarity in our laws on how to act in the event of an epidemic and how the data should be processed, resulting in situations undecisive and that have no solution. In light of the above-mentioned, employers should keep in mind; not to forgot obligation to inform while processing of health data of the employees and process the data of their employees as minimal as possible and based on the purpose, and act in accordance with the legislation (including Authority decisions and PDPL).

The fact that employers’ act on “Everything Is Forbidden Unless Allowed” principle instead of “Everything Is Free Unless Banned” principle will help to prevent possible violations and sanctions while processing of personal data.