2020 was the year of the pandemic. In the first few days of 2021, we are still discussing whether the end of the global crisis caused by it is in sight. Yet, it seems that we are also getting used to living in a world where our health data is fair game for any place we enter; be that our workplace or the hotel we just checked into. Health data is processed these days in the name of preventing the spread of the disease, and often comes in the shape of direct diagnoses through tests, verbal/written declaration of whether we have tested positive for the disease, and even through body temperature checks.
This article discusses whether the data obtained and used for purposes of preventing the spread of the disease fall into the scope of The General Data Protection Regulation (EU) 2016/679 (“GDPR”) and/or the Turkish Personal Data Protection Law No. 6698 (“KVKK”). Prior to taking on any activity which may fall under data protection legislation, it is important to perform due diligence to comply with applicable laws; especially because a lot of the time the data processed includes health data (which is “sensitive” or “special category data”); processing of which is subject to stricter rules than most other data.
GDPR stipulates that it applies to the processing of personal data “wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.” This excludes processing of personal data that are not recorded on a filing system or performed by means of an automatic device. Similarly, KVKK only applies to processing data wholly or partially by automated means or by non-automated means which provide that form part of a data filing system. So, if a store keeper simply asks their visitors whether they’ve been abroad or if they’ve shown any symptoms in the past two weeks to decide whether to allow them into the store and does not record the information electronically or physically; neither GDPR nor KVKK will not apply to this processing activity. On the other hand, it should be noted that any surveillance activities which have direct (presumably negative) results for the data subject (such as a vocal warning/obstacle to entry upon checking their temperature) should be monitored closely so as not to infringe upon the subject’s rights to privacy. ( For more information on the Dutch DPA’s guidance on temperature checks during the pandemic, see DLA Piper’s “Up Again Netherlands: Privacy and Data” )
Another limitation of the scope of these two pieces of legislation is that they will only apply to data of “identified or identifiable natural persons”; meaning that any processing of data that does not have the potential of revealing the data subject’s identity are excluded. In the context of the measures taken during the pandemic, this is an important limitation as a lot of data controllers process data ‘on the go’, meaning that the data obtained are not tied to the identity of the subjects. A great and wide-spread example of this kind of processing is manual temperature checks upon entrance to malls, government buildings, etc. Temperature checks that are not recorded along with information making the subject identifiable (such as a list) are thus not in general in the scope of GDPR or KVKK. However, if temperature checks are accompanied by other activities which may reveal the identity of the person (such as recordings on a surveillance camera nearby; or when coupled with filling in a patient form at an information desk after being screened at the door), it is safe to assume that personal data protection legislation is applicable.
Elif Yava-Stanley, LLM