Evaluation Of The Announcement Regarding The Covid-19 PCR Test Result and Vaccine Information Application By The Personal Data Protection Board 30 September 2021

The Decision of the Personal Data Protection Board (Board) dated 28/09/2021 and numbered 2021/980 was shared with the public, along with the announcement published by the Personal Data Protection Authority (“The Authority”) on 28.09.2021. We share our reviews below on the aforementioned decision about how to follow the Personal Data Protection Law (Law) No. 6698 regarding PCR test and/or vaccine information requests in order to prevent the spread of the Covid-19 epidemic disease, which continues to show its effect all over the world and in our country.

The Decision of the Personal Data Protection Board (Board) dated 28/09/2021 and numbered 2021/980 was shared with the public, along with the announcement published by the Personal Data Protection Authority (“The Authority”) on 28.09.2021. We share our reviews below on the aforementioned decision about how to follow the Personal Data Protection Law (Law) No. 6698 regarding PCR test and/or vaccine information requests in order to prevent the spread of the Covid-19 epidemic disease, which continues to show its effect all over the world and in our country.

What are the Reasons that Drive the Board to Take This Decision?

As it is known, in the letter dated 20.08.2021 sent by the Ministry of Internal Affairs to the 81 Provincial Governorships and to the relevant Ministries for information; In order to minimize the risk posed by the epidemic in terms of public health and public order, it has been made obligatory for the people who want to participate in activities such as concerts, cinemas, theaters and public transportation vehicles to report Covid-19 vaccine information and/or PCR test information with negative results.

Likewise, in the letter dated 02.09.2021 sent by the Ministry of Labor and Social Security to 81 Provincial Governorships and to the relevant Ministries for information, within the scope of protective and preventive measures against health and safety risks that may be encountered in workplaces; It has been stated that workers who are not vaccinated against Covid-19 may be required by the workplace/employer to have a PCR test taken once a week, and the test results will be recorded in order to take necessary actions.

The Board made the relevant decision by referring to the circulars issued by the above-mentioned public institutions and due to a vast number of questions inclusive of these circulars.

How Should the Processing Purposes and Quality of Personal Data to be Processed Be Evaluated Within This Period?

It is stated by the Board that exactable Covid-19 vaccine and PCR test information, which are mentioned in the circular, are related to the health status of the individuals, and are in the category of special quality personal information according to Article 6 of the Law, and therefore the data should be processed in accordance with the given processing conditions in the same article.

 

After qualifying the personal data processed in the procedure, the Board stated that considering the effects of the Covid-19 pandemic on worldwide health, social life and economy; the processing of personal health data related to Covid-19, such as vaccination status and PCR test result, is for the purpose of protecting public health, public safety, and public order.

Considering The Feature Of The Process, Is It Possible Not To Apply The Law?

Recognizedly, the first paragraph of Article 28 of the Law determines the personal data processing activities which the Law will not be implemented to and will be out of scope. It is stated In the sub-article (ç) of the relevant paragraph that, in case "the personal data is processed within the scope of preventive, protective and informative activities carried out by public institutions and organizations that have been authorized by law to ensure national defense, national security, public safety, public order or economic security" provisions are not applicable.

From this point forth, the Board also marked that the processing of personal data within the scope of activities carried out by authorized public institutions and organizations should be evaluated within the scope of sub-article (ç) of the first paragraph, in order to prevent the contagiousness of the epidemic to eliminate this threat in cases such as epidemics that threaten public security and public order.

In summary, the Board expressed the opinion that the law will not be applicable in the procedure of processing the personal data of the relevant people by requesting the Covid-19 vaccine and PCR test information from these people within the scope of the Covid-19 epidemic in order to prevent the spread of the disease due to the fact that the epidemic caused by Covid-19 threatens public security and public order.

What are the Limits of Conditions Which the Law Will Not Apply?

The Board has determined that the Law will not be applied in the processing of Covid-19 vaccine and/or negative PCR test information if only it is done by authorized public institutions and organizations in order to prevent the spread of the disease and because the epidemic disease caused by Covid-19 threatens public security and public order. Apart from this, The Board stated that personal data processing activities, other than or exceeding the activities for the purpose of protecting public security and public order carried out within the scope of the Covid-19 epidemic, will be covered by the Law. In other words, in case of a change in the data processing activity, the Law will be applicable, and the obligations of the data controller to inform and obtain consent as a part of special data processing activities will be reactivated.

Will The Law Not Be Applied In Cases Where The Data Controller Is A Natural Or Artificial Person by the Private Law?

It has clearly stated by the Board that the Law will not be applicable in the processing of Covid-19 vaccine information and/or negative PCR test information by the data controller, who is a natural or an artificial person by the private law, to prevent the spread of the disease because of the fact that the epidemic disease caused by Covid-19 threatens public security and public order. However, in the decision taken by the Board, references were made to the circulars of the Ministry of Internal Affairs and the Ministry of Labor and Social Security, and in the cited circulars, there are not only authorized public institutions and organizations among the data controllers that will be involved in data processing.

In this context we would like to point out that, in line with the information conveyed by the Board officials, in order to prevent the spread of the disease due to the epidemic conditions caused by Covid-19 threatening public security and public order; in case the Covid-19 vaccine information and/or negative PCR test information  is submitted to the data controllers (such as commercial enterprises, trading companies, cooperatives, etc.) other than authorized public institutions, the Law will also not be applicable. However, since the reference provision shown in the Decision is a highly controversial regulation, we expect an additional explanation from the Board on this issue.

How will non-implementation of the law affect data processing?

Failure to implement the Law means the abolition of all obligations imposed by the Law, such as the data controllers’ obligation to inform the data owner, to obtain consent when necessary, to prevent personal data from changing hands.Therefore, with the relevant decision of the Board, in order to prevent the spread of the disease due to the threat of the epidemic disease caused by Covid-19 on public security and public order, we can state that the data controllers’ obligation to provide information and consent in the processing of Covid-19 vaccine information and/or negative PCR test information has extinguished.

 
 

Other News