Turkish Law Blog
Processing Employee Health Data under Turkish Personal Data Protection Law
1. General Requirements for Processing Special Categories of Personal Data
Pursuant to Article 6 of the Law on Protection of Personal Data No. 6698 ("KVKK"), the race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and dressing, association, foundation or union membership, health, her personal data is about her sexual life, criminal conviction and security measures, and her biometric and genetic data are considered to be the special categories of personal data. According to the same article, the processing of special personal data is prohibited without the express consent of the person concerned. KVKK states that personal data other than personal data relating to health and sexual life, may be processed without obtaining the explicit consent of the data subject if the processing is permitted by any law, whereas Personal data relating to health and sexual life may only be processed without obtaining the explicit consent of the data subject for purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing by persons under the obligation of secrecy or authorized institutions and organizations.
In addition, according to paragraph 4 of the article, it has been stated that adequate measures determined by the Personal Data Protection Board (“Board”) are also required for the processing of special personal data.
The Personal Data Protection Board has determined the adequate measures for the processing of special personal data with the Resolution of the Personal Data Protection Board dated 31/01/2018 and numbered 2018/10 regarding "Adequate Measures to be Taken by Data Controllers in the Processing of Special Categories of Personal Data".
In this context, sufficient measures to be taken by data controllers who process personal data in accordance with paragraph (ç) and (e) of paragraph (1) of Article 22 of the Law are determined by the Personal Data Protection Board as follows:
“1- A separate security policy and procedures for the protection of special categories of personal data must be defined. The security policy and procedures must be systematic, manageable, and sustainable with rules that are clearly defined.,
2- Measures for the employees who process special categories of personal data;
a)Periodic trainings with respect to the KVKK, secondary regulations and security of special categories of personal data must be provided to the employees.
b)Confidentiality agreements must be signed with the employees.
c) The scope and duration of access authorization for users who have access to data must be clearly defined.
d) Periodic access authorization controls must be carried out.
e) Access authorizations of employees whose positions have been changed or who are no longer working must be revoked immediately. In this context, the inventories assigned to such employees must be returned to the data controller.
3- If the environments where special categories of data are processed/store/accessed is electronical, following measured must be taken;
a) Data must be stored using cryptographic techniques.
b) Cryptographic keys must be stored in a secure and separate environment.
c) All transactions of data must be securely logged.
d) Security updates for the environments where data is processed must be monitored regularly, necessary security tests must be done and the test results must be recorded regularly.
e) If data is accessed through software, user access authorizations must be defined and security tests must be done periodically and test results must be recorded.
f) If remote access to data is required, at least a two-factor identity authentication system must be provided.
4- If the environments where special categories of personal data are processed, stored and/or accessed is physical, the following measures must be taken;
a) Ensure that adequate security measures (against electricity leakage, fire, flooding, theft, etc.) are taken depending on the nature of the environment where special categories of personal data are stored,
b) Prevent the unauthorized entry and exit by ensuring the physical security of these environments,
5- If special categories of personal data will be transferred, the following measures must be taken;
a) If the data needs to be transferred via e-mail, an encrypted corporate e-mail address or a Registered Electronic Mail account must be used.
b) If the data needs to be transferred via media such as Portable Memory, CD, DVD; it must be encrypted with cryptographic methods and the cryptographic key must be stored in a separate media.
c) If transfer is to be made between servers in different physical environments, data transfer must be performed by installing VPN between servers or by sFTP method.
d) If the data needs to be transferred as hard copy, adequate measures must be taken against the risks such as theft losing or being seen by unauthorized persons and the document must be sent in the form of “confidential documents”.
6- In addition to the measures mentioned above, technical and administrative measures to ensure the appropriate level of security specified in the Personal Data Security Guide published on the website of the Personal Data Protection Authority should also be taken into account.”
2. Processing of Health Data by the Employers
Since the health data which are considered to be one of the special categories of personal data by KVKK, the employers need to comply with the rules on processing special categories of personal data. Employers need to process health Data for a variety of reasons like ensuring that they fulfill their obligations arising from the legislation or some other reasons arising from the operation of the workplace.
a. Health Data Processed by Employers Due to Occupational Health and Safety Law
According to Article 15 of Occupational Health and Safety Law No. 6331, the necessary health data must be processed by employers:
“(1) The employer shall;
a) ensure that workers receive health surveillance appropriate to the health and safety risks they incur at work.
b) Health examination of workers is required under the following situations:
2) Job change after the assignment.
3) In case of return to work following a repetitive absence from work due to occupational accidents, occupational diseases or health problems upon request.
4) At regular intervals recommended by the Ministry in the course of employment taking into account the workers, the nature of work and hazard class of the enterprise.
(2) Workers to be employed in enterprises classified as hazardous and very hazardous shall receive a medical report before employment.
(3) Medical reports required to be received as per this law shall be obtained from occupational physicians working in the workplace health and safety unit or joint health and safety unit. Any objection to the medical reports shall be filed to an adjudicator hospital assigned by the Ministry of Health. The decision made by the hospital shall constitute a definitive judgment.
(4) The employer shall cover all expenses arising from health surveillance and any additional expense related to this surveillance. The health surveillance may in no circumstances bring a financial burden to workers.
(5) Health data of workers undergoing a medical examination shall be kept confidential in order to ensure the protection of individual privacy and prestige.”
Apparently, the principle of processing the health data of the employees via obtaining health reports for certain reasons was introduced by the Law.
b. Processing of Health Data by Employers Due to Social Insurance and General Health Insurance Law
According to Article 18 of Social Insurance and General Health Insurance Law No. 5510, benefit for temporary incapacity is determined as follows:
“Provided that rest report is granted by medical doctor or health committees authorized by the Institution;
a) each day for an insurance holder suffering from temporary incapacity due to work accident or occupational disease,
b) In case, among the insurance holders under item (a) of paragraph one of Article 4 and Article 5, the individuals who are subject to sickness insurance, suffer from temporary incapacity due to sickness, each day starting from the third day of the temporary incapacity, provided that minimum ninety short term insurance premium is notified within one year before the starting date of the temporary incapacity,
c) ( In case of maternity of headmen stated in item (a) and (b) of paragraph one of Article 4 and female insurance holders under numbers (1), (2) and (4) of the same item, each day of not working including eight - week periods before and after birth and, in cases of multi birth, adding another two weeks to the said eight weeks before the birth, provided that minimum ninety days short term insurance premium is notified within one year before the birth,
d) In case the insurance holder works until three weeks before the birth, upon request of headmen stated in item (a) and (b) of paragraph one of Article 4 and female insurance holders under numbers (1), (2) and (4) of the same item and with the consent of medical doctor, for the periods added to the rest period after birth, a benefit for temporary incapacity shall be payable.”
In accordance with the Social Insurance Transactions Regulation; the documents specified in the Regulation will be transferred to the database of the Authority in the form of internet, electronic and similar, by the employer, subcontractor, insured, general health insurer, right holder and other relevant persons and organizations. An electronic portal called “e-insurance portal” has been created, which enables the observations to be given to the employer, insured, beneficiary and other relevant persons and organizations by the Authority.
In the Social Insurance portal, employers report to the Institution the reports regarding the days when the occupational accident, occupational disease and employees could not work due to reasons such as rest, maternity. In such cases, the health data of the employees will be notified directly to the Social Security Institution by the employer.
3. Explicit Consent and Health Data of Employees
For the processing of health data without explicit consent, KVKK did not impose the requirement of “permitting by laws”, which is the condition for processing other special categories of personal data. It has stated that Personal data relating to health and sexual life may only be processed without obtaining the explicit consent of the data subject for purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing by persons under the obligation of secrecy or authorized institutions and organizations. In the justification of the relevant article, “Ministry of Health, health institutions or Social Security Institution are exemplified as an example to the persons or authorized institutions and organizations under the obligation of secrecy.
a. Obligation of Secrecy Relating Health Data
i. Employer’s Obligation of Secrecy
According to the Labor Law no 4875, “The employer shall arrange a personnel file for each employee working in his establishment. In addition to the information about the employee’s identity, the employer is obliged to keep all the documents and records which he has to arrange in accordance with this Act and other legislation and to show them to authorised persons and authorities when requested.
The employer is under the obligation to use the information he has obtained about the employee in congruence with the principles of honesty and law and not to disclose the information for which the employee has a justifiable interest in keeping as a secret.”
However, “secrecy obligation of the employer” should be not be interpreted as the right to process of the employees' all health data without explicit consent but only limited with the legal requirements since “being permitted by any law” is not considered as an exception to the explicit consent on KVKK
ii. Occupational Physician's Obligation of Secrecy
In accordance with Article 6 of the Occupational Health and Safety Law No. 6331, titled “Occupational Health and Safety Services”, a requirement has been made to employ a workplace doctor and other healthcare personnel in employers under the following conditions:
“In order to provide occupational health and safety services including activities related to the protection and prevention of occupational risks, the employer shall: a) designate workers as occupational safety specialist, occupational physician and other health staff. In case there is lack of personnel in the undertaking competent enough to be designated, the employer shall enlist a joint health and safety unit to partially or fully provide these services. Provided that the employer has the required qualifications and documents, these services can be offered by the employer considering the hazard class and the number of workers.”
Since the KVKK has brought the principle of “processing by professionals under the obligation of secrecy” to the subjects that do not seek explicit consent in the processing of health data, it is necessary to mention the confidentiality obligation of the occupational physicians .
In the Article 11 of the Regulation on the Duties, Authorities, Responsibilities, and Training of the Workplace, Physician and Other Health Personnel, the confidentiality obligations of the occupational physicians have been determined as “While performing their duties, they are obliged to not disrupt the normal flow of work as much as possible and contribute to the provision of an efficient work environment, to keep the information in the personal health file of the employer and the information about the occupational secrets, economic and commercial conditions of the employer and the employee. ”
At the same time, in the 18th article of the Regulation on the secret of confidentiality, obligation of secrecy has been brought to other healthcare personnel;
“While other health personnel working in the workplace do their duties specified in this Regulation, not to disturb the normal flow of work as much as possible and contribute to the provision of an efficient working environment, the occupational secrets, economic and commercial conditions of the employer and the workplace. They are obliged to keep the information about and the information in the personal health file of the employee confidential. ”
iii. Secrecy Obligation of the Occupational Health and Safety Specialists
According to the 15/5 article of the Occupational Health and Safety Law No. 6331; Health data of workers undergoing a medical examination shall be kept confidential in order to ensure protection of individual privacy and prestige.
In accordance with the Article 9 of the Regulation on Occupational Safety Tasks, Authorities, Responsibilities and Training; the occupational safety specialists do not disrupt the normal flow of work as much as possible and contribute to the provision of an efficient work environment, employer and workplace secrets, economic and they are obliged to keep information about their commercial status confidential. Occupational safety specialist has to write his / her determinations and recommendations regarding the work done in the workplace where he is assigned, and keep his copies with the occupational physician.
According to the ethical rules in article 16 of the same Regulation, Occupational Health and Safety specialists establish trust, confidentiality and equality relationship with the people they serve and evaluate all workers equally.
In this context, it is seen that Occupational Health and Safety specialists are under the obligation of keeping secrets in matters falling within the scope of their duties, similar to the occupational physicians.
KVKK introduced the principles on the processing of personal data is being processed for specified, explicit, and legitimate purposes, and being relevant, limited and proportionate to the purposes for which data are processed. For this reason, Employers may only process the health data of their employees in accordance with these principles.
According to the general rule of KVKK, it is forbidden to process health data without the explicit consent of the subject. The exception to this rule is to be processed by individuals or authorized institutions and organizations under the obligation to keep secrets for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, healthcare and financing planning and management.
Therefore, the processing of personal data must only be carried out by the Occupational Physicians, Occupational Health and Safety Experts in matters related to the legal requirements without explicit consent.
Since “being permitted by any law” is not considered as an exception to the explicit consent on KVKK, it is not adequate to process health data by the employer without the employees consent only because it is a legal requirement. The processing must be performed under the rules of secrecy obligation and the adequate measures determined by the Board must be taken together.
However, KVKK needs to be amended by considering “permitted by law” as an exception to the explicit consent requirement for health data to eliminate uncertainty on practice. As a second option the Board should determine if the employers themselves are considered to be the professionals under the obligation of secrecy from the perspective of processing health data.
 Further information https://kvkk.gov.tr/SharedFolderServer/CMSFiles/7512d0d4-f345-41cb-bc5b-8d5cf125e3a1.pdf (Erişim: 21.03.2020)
 Özel Nitelikli Kişisel Verilerin İşlenmesinde Veri Sorumlularınca Alınması Gereken Yeterli Önlemler" ile ilgili Kişisel Verileri Koruma Kurulunun 31/01/2018 Tarihli ve 2018/10 Sayılı Kararı https://www.kvkk.gov.tr/Icerik/4110/2018-10 (Erişim: 21.03.2020)
 https://www.resmigazete.gov.tr/eskiler/2010/11/20101127-3.htm (Erişim:20.03.2020)