Processing of personal data related to COVID-19 test results and vaccination-infection status of employees – Confidentiality


To print this article, simply register or connect to

During the Covid-19 pandemic, as many companies offer their employees the option to work remotely, hybrid work models are also being considered recently. For many purposes related to occupational health and safety, reducing the risk of infection in the workplace and determining new working conditions, employers need to collect personal data from their employees such as their PCR / antibody test results and information as to whether they are vaccinated and have had Covid-19 before etc. On the basis of the information gathered, employers must take the necessary measures. In addition, the HES employee codes (which are codes designated for each person through a government app “Hayat Eve Sığar” to show whether the affected person is at risk for Covid19 based on Ministry of Health records and include information on the persons concerned (infection with Covid19 or contact with a case of Covid19 if applicable) are regularly checked by employers. All information is personal data and therefore subject to personal data protection legislation.

A. Additional obligations of employers with regard to occupational health and safety

The importance of the subject is also underlined in the circular “Covid-19 measures at workplaces” of 02.02.2021 (the “Circular“) of the Ministry of Labor and Social Security (the”Ministry“). According to the circular, it is noted that employers are required to inform their employees about protective and preventive measures regarding health and safety risks that may be encountered in the workplace. In addition, employers are requested to separately inform in writing their employees who have not been vaccinated or whose vaccination has not yet been completed.

Along with the measures taken in many sectors and related to various activities, it was reported that from 06.09.2021 employers can ask their unvaccinated employees to take a PCR test once a week and keep records. relevant test results. .

The circular regulated by the Ministry under the Occupational Health and Safety Act aims to provide and maintain occupational health and safety and improve the current situation. The relevant obligations introduced by the circular should be regarded as generally associated with other obligations of employers arising from legislation on health and safety at work.

B. Classification of personal data related to test results and vaccination / infection status and conditions for processing these types of personal data

Employee personal data regarding vaccination and infection status, test results and HES codes that contain information on risk status are assessed as health data in accordance with the Personal Data Protection Act ( the law “). Accordingly, the relevant data may be processed in accordance with the law. Health data is considered a type of personal data of a special nature within the scope of the law and the processing of such data is subject to more stringent rules.

1. Assessment according to the general principles of the law

All personal data, including health data, must be processed in accordance with the general principles governed by article 4 of the law. In this context, only relevant and limited personal data which are necessary for the purpose of the processing will be processed taking into account the principle of proportionality. The relevant principles introduced by law are also considered as data minimization principles in Turkish law. In accordance with these principles, the processing of excessive personal data not necessary to achieve the purpose of the processing or the collection of personal data that is not related to any purpose of the processing would be considered a processing activity that does not comply with the law even if the persons concerned consent to the same. For example, in case of telecommuting where employees are not supposed to meet physically, when the employer asks their employees for PCR / antibody test results, it may be a processing activity not in accordance with the law. , unless the employer reasonably justifies the treatment concerned. .

Employers must always evaluate the personal data they collect in accordance with article 4 of the law and take into account the link and proportionality of this data with their purpose of processing. In this context, employers should not process personal data that is not necessary for their purposes.

Prior to the circular, in the circumstances where employee vaccination status is requested or employee PCR test results are requested, it was suggested that employees assess whether they can take different measures for occupational health safety without collect such sensitive personal information about their employees. . For example, if the employer is able to provide a remote work opportunity to its employees, the question of whether the request for such information can be proportional or not was under discussion.

Nevertheless, after the circular of the Ministry regulating the obligations of employers to process such personal data, it can be said that the personal data collected and recorded within the framework of the circular comply with the principle of data minimization under Article 4 of the law. In any case, all health data collected by employers in terms of occupational health safety must be treated lawfully and fairly, be accurate and up to date if necessary and be kept for as long as the purpose of the processing requires. .

2. Explicit informed consent

The processing of health data is subject to more restrictive conditions than those applicable to other personal data. According to article 6/3 of the law, personal data relating to health and sexual life may only be processed, without requesting the explicit consent of the person concerned, by any person bound by secrecy or by institutions and public bodies authorized for protection purposes. health, the operation of preventive medicine, medical diagnosis, treatment and nursing services, planning, management and financing of health services.

Although some academics and practitioners claim that employers have an obligation of confidentiality in terms of their employees’ personal data, companies do not have some sort of obligation of secrecy required by law. Confidentiality obligations under occupational health and safety legislation should not be regarded as an obligation of secrecy in this regard. Companies are also not authorized institutions and organizations.

In principle, employers can only authorize the processing of health data by the occupational physician without explicit consent. However, in order to achieve the aforementioned occupational health and safety objectives, it may not be sufficient to have an occupational physician to obtain the information in question. Administrative decisions based on information gathered from employees and the sharing of that information with human resources and management may also be necessary. Therefore, it would be the safest option to request explicit consent in terms of the processing of relevant health data for occupational health and safety purposes. Although explicit consent is received, companies should still restrict who can access relevant data.

Controllers should also be aware that explicit consent should be based on the privacy notices that should be provided to data subjects in accordance with Article 10 of the law. The obligation to inform data subjects of the processing of their personal data must be respected in accordance with the “Notice on the principles and procedures to be followed for the execution of the obligation to inform” of the Turkish Data Protection Authority personal. Accordingly, as data controllers, employers must have informed their employees of the personal data and health data that will be processed for what purposes, to whom the personal data may be transferred for what purpose, how they will collect the personal data relevant and what will be the grounds for collecting the same and what rights employees will have in accordance with the law.

Technical and administrative measures required for processing health data

Data controllers are required to take all technical and administrative measures necessary to ensure a sufficient level of security to prevent unlawful processing of personal data, protect the security of personal data and prevent unlawful access to personal data.

Health data, as sensitive data within the meaning of the law, is also subject to the resolution of the Personal Data Protection Council dated 31.01.2018 and numbered 2018/10 on “Adequate measures to be taken by controllers of data processing sensitive personal data “(the”Resolution“) available in Turkey at the link. In this context, data controllers should have a privacy policy and separate procedures specific to the security of sensitive personal data. The relevant policy and procedures should be systematic, manageable and sustainable, and should include clear elements Data controllers should take additional measures such as establishing separate confidentiality agreements for personnel who may have access to such data, periodically reviewing and verifying access controls and authorization and regular training of the personnel concerned.

The resolution also regulates the administrative and technical requirements for the electronic and physical platforms on which this personal data is processed, stored and / or accessed, as well as the issues to be taken into account for transfers (including sending by email). of this personal data.


Personal employee data such as vaccination and infection status, test results and HES codes will be considered health data. In this context, even if the processing of data within the framework of the circular complies with article 4 of the law, the processing of relevant data by any member of staff / representative other than the occupational physician and the use of relevant data for any matter outside the scope of work physician authority requires explicit informed consents from affected employees for employers. According to the law, when employers process this personal health data on the basis of the circular but without explicit consent, this can create a risk of sanction for employers.

On the other hand, a study is underway on the amendment of the legislation, including the law. In this context, it is also on the agenda to introduce a legal basis for processing sensitive data, including health data, without explicit consent if this is mandatory to fulfill obligations related to work and health. social security or social services. Therefore, studies related to legislative changes should be closely monitored.

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.

Leave A Reply

Your email address will not be published.