Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Turkey: Personal data protection aspects of the COVID-19 pandemic

Among other unprecedented issues related to employment and emerging forms of remote and flexible working, the COVID-19 pandemic poses a significant challenge to personal data protection frameworks. Okan Gunduz, Partner at Gunduz Legal, answers pressing questions regarding privacy, employment, remote working, and general safety measures at the workplace in Turkey.

wayra / Signature collection / istockphoto.com

How has COVID-19 impacted privacy at the workplace?

Similar to the practices across the world, remote working has become a preferable common way of working during the pandemic. The Ministry of Family, Labor and Social Services issued the long-awaited Regulation on Remote Working (‘the Regulation’), which came into force on 10 March 2021.1

Data protection risks associated with remote working

The Regulation provides that the definition and scope of the data required to be protected within the scope of remote working must be determined under the employment agreement. The Reguation also emphasises that employers must take all necessary measures for the security of the data. Moreover, the employee is required to comply with the rules as informed by the employer.

The Personal Data Protection Authority ('KVKK') has not issued any specific guidelines regarding the measures to be taken with respect to remote working. The KVKK's general guideline for Personal Data Security2 on the measures required to be taken by data controllers for processing sensitive personal data should be considered and world-wide precedents applied, while employers should take into account all necessary measures in terms of cybersecurity.

Are there any guidelines provided by the KVKK for employers during the pandemic?

Processing of COVID-19 test results and vaccination data

The Ministry of Interior issued a circular on 20 August 2021, addressing the risks posed by the pandemic in terms of public health and public order, and made it mandatory for individuals wanting to participate in activities, such as concerts, cinemas, theatres, and public transportation vehicles, to provide COVID-19 vaccination information and/or PCR test information with negative results.

The Ministry of Family, Labor and Social Services also issued a circular on 2 September 2021 on the protective and preventive measures against the health and safety risks that may be encountered at the workplace. Thereby, it stated that employees who have not been vaccinated against COVID-19 are required by the workplace/employer to get a mandatory PCR test once a week, with the test results potentially being recorded in order to take necessary actions.

The above-mentioned statements of the Ministries required clarification on whether the said measures would be considered in compliance with the provisions of the Law on Protection of Personal Data No. 6698 ('the Law'). To address the issue, the KVKK published a public announcement regarding the processing of PCR test results and vaccination data on 28 September 2021.3

The KVKK’s announcement regarding the processing of PCR test results and vaccination

The KVKK noted that information about the health status of individuals, such as diagnosing, testing, reporting, and vaccination, qualifies as special personal data and must be processed in accordance with the processing conditions set forth in in the Law.

The processing of personal data within the scope of activities carried out by public institutions and organisations authorised by law in order to prevent the contagiousness of the pandemic would be compliant with the authority given in the Law. However, the KVKK stated that personal data processing activities that are outside of, or exceed, the activities for the purpose of protecting public security and public order carried out within the scope of the COVID-19 pandemic must still be subject to the requirements of the Law.

KVKK’s announcement on COVID-19 related Frequently Asked Questions ('FAQs')

The KVKK has made a public announcement on 27 March 20204, summarising the important issues to consider under the law, while combating COVID-19, and included a FAQ section.

Below are the responses provided by the KVKK in relation to questions including employment aspect of COVID-19.

What kind of safety measures should be taken during remote working?

To minimise the risks that may arise from remote working, the data traffic between the systems should be carried out with secure communication protocols and not contain any weaknesses, taking all kinds of precautions, especially keeping the anti-virus systems and firewalls up-to-date, and informing the employees to adhere to them.

Can an employer disclose to colleagues or other employees that an employee is infected with COVID-19?

The employer should inform the employees about the incidents. When informing, it is not necessary to give the names of individuals, but rather only strictly necessary information. In cases where it is obligatory to disclose the name of the employee(s) infected with the virus in order to take protective measures, it is good practice to inform the relevant employees beforehand. The employer has responsibilities to ensure the health and safety of their employees, whilst also complying with the duty of care.

Can an employer ask information about virus symptoms from employees and visitors?

Employers have the legal obligation to protect employee health and provide a safe workplace. Thereby, employers would have the justification for asking employees and visitors to inform themselves whether they have visited an area affected by the virus and/or if they show COVID-19 symptoms. However, such requests should be based on the principles of proportionality and necessity and risk evaluation.

Can employer share the health information of the employees with the authorities for public health reasons?

Yes, in accordance with Article 8 of the Law and within the scope of other legislation on the pandemic.

Okan Gunduz Partner
[email protected]
Gunduz Legal, Istanbul


1. Available at: https://www.resmigazete.gov.tr/eskiler/2021/03/20210310-2.htm (only available in Turkish)
2. Available at: https://www.kvkk.gov.tr/yayinlar/veri_guvenligi_rehberi.pdf (only available in Turkish)
3. Available at: https://www.kvkk.gov.tr/Icerik/7055/COVID-19-PCR-TEST-SONUCU-VE-ASI-BILGISI-UYGULAMALARINA-ILISKIN-KAMUOYU-DUYURUSU (only available in Turkish)
4. Available at: https://www.kvkk.gov.tr/Icerik/6721/KAMUOYU-DUYURUSU-Covid-19-ile-Mucadele-Surecinde-Kisisel-Verilerin-Korunmasi-Kanunu-Kapsaminda-Bilinmesi-Gerekenler- (only available in Turkish)