The purpose of Law 6698 on the Protection of Personal Data (Law 6698) is to:
- protect people's fundamental rights and freedoms, particularly the right to privacy, with respect to the processing of personal data; and
- set out binding obligations, principles and procedures for natural persons and legal entities that process personal data.
Law 6698 applies to natural persons whose personal data is processed and natural persons or legal entities that process such data – wholly or partially and by automated or non-automated means – provided that they form part of a data filing system. This article evaluates the processing activities carried out by employers as data controllers in the context of the processing of employees' personal data within a data filing system.
Within the scope of Law 6698, the concept of an "employment relationship" is interpreted fairly broadly. Regardless of the type of employment contract, all employees – including those currently employed, prospective candidates and those whose employment contract has expired – are considered "data subjects" within the scope of Law 6698. However, although the employer and all types of employee are subject to the rights and responsibilities attributed to data controllers and data subjects within the scope of Law 6698, there are a few ways in which employment relationships differ from others.
The most important feature distinguishing employment relationships from other situations is the existence of loyalty to the employer. This issue is the most important factor differentiating employees from other data subjects within the scope of Law 6698, and means that employees need more protection, pursuant to the Labour Law and Supreme Court case law. The most common subject of dispute in labour lawsuits is whether the employee has acted (eg, resigned or relocated) under their own free will. For this reason, legal regulations set out in detail any issues relating to employers within the scope of an employment relationship, instead of such issues being left to employees.
This concept is also important within the context of Law 6698 because one of the legal reasons for the processing of personal data is explicit consent. Such explicit consent may be the only justification for legal compliance in the processing of special categories of personal data. Within the scope of Law 6698, there are three elements of explicit consent – namely, that:
- the consent is relevant to the particular subject whose data is being processed;
- the consent is informed; and
- the consent is freely given.
However, asking for the explicit consent of people who are currently working for an employer to process their data is questionable because of the issue of loyalty; it is both controversial and difficult to prove that an employee's consent is given freely. The same problems exist for prospective candidates and employees whose employment contracts have been terminated. In a relationship where there are financial implications, free will – one of the elements of explicit consent – will often not be possible or may be a matter of discussion. However, many employers wish to process various categories of their employees' personal data for projects to serve a purpose within their workplace.
Accordingly, it is necessary for employers to evaluate the conditions for processing personal data that may apply in such circumstances – namely, that:
- the "processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract"; and
- the "processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject".
Such conditions often constitute sufficient legal grounds for processing the relevant data without seeking explicit consent. The anonymisation of personal data, especially for special categories of personal data, can be an alternative to seeking explicit consent for processing personal data. However, this is not always possible; it may be necessary to process special categories of personal data without anonymisation.
Tests for covid-19 and health reports became highly important during the pandemic. All kinds of data relating to a person's health – including medicines taken, diseases and vaccinations – are considered special categories of personal data. Therefore, stricter conditions apply regarding the processing of such data. Processing special categories of personal data requires:
- the data subject's explicit consent; or
- permission under law.
Pursuant to article 6(3) of Law 6698, personal data concerning an individual's health and sexual life may be processed without seeking the data subject's explicit consent only by those who are subject to secrecy obligations or competent public institutions and organisations for the purposes of:
- protection of public health;
- administration of preventive medicine;
- medical diagnosis;
- treatment and nursing services; and
- the planning and management of healthcare services as well as the financing thereof.
Therefore, in situations where an employee's health data needs to be processed, an employer may rely on this regulation instead of asking for their explicit consent.
Once a significant proportion of the population was approved to be vaccinated against covid-19, it became important for employers to process their employee's vaccination-related data. According to the Ministry of Health, covid-19 vaccines are not mandatory; therefore, in principle, employees cannot be forced to get vaccinated. However, employers have the obligation to maintain a safe environment in the workplace. Vaccination-related data can thus be processed by employers for the purpose of meeting this obligation and regulating restrictions in the workplace. If employers do not wish to seek their employees' explicit consent due to the aforementioned risks of the validity of such consent in employment relationships, article 6(3) of Law 6698 is applicable.
Importantly, vaccination-related data must be collected and processed through a workplace or an assigned doctor. It is also important that nobody other than the workplace or assigned doctor can access such data. Employees' health data can thus be processed without seeking explicit consent and only with prior notice. If workplace restrictions are based on the results of this processing activity and some information needs to be shared with other departments, this data should not be related to the health details of identified or identifiable persons. To make this possible, health data can be kept confidential or anonymised. When such methods are followed, the processing of employees' data relating to their covid-19 vaccination status must comply with Law 6698.
For further information on this topic please contact Burak Özdağıstanli, Bensu Özdemir or Sümeyye Uçar at Özdağıstanli Ekici Attorney Partnership by telephone (+90 216 230 07 48) or email ([email protected], [email protected] or [email protected]). The Özdağıstanli Ekici Attorney Partnership website can be accessed at www.ozdagistanliekici.com/.