First of all, we would like to state that the opinions expressed in this article are based on the relevant legal regulations and judicial decisions, but consist of our own opinions and are for guidance purposes only. Our company cannot be held responsible for the decisions to be taken in line with these views.
As it is known, due to the COVID-19 epidemic, the use of HES code is included in our daily life. The use of HES code aims to control whether the person is in the risk group, to follow the cases, and to reduce the risk of spreading the disease.
The Ministry of Health has allowed employers with more than 500 employees to collectively query the HEPP code. For this process, the application to the Ministry of Health must be approved beforehand. Detailed information on this subject can be accessed from the website of the Ministry of Health and from the link below:
HEPP Code Inquiry Institutional Integration Document
However, we find it useful to evaluate the HEPP codes of employees and visitors in workplaces that are not within the scope of this integration in terms of KVKK.
We do not need to mention whether the HEPP Code is a "personal data" or not, since it is a code that is directly linked to a specific natural person, the HEPP code is personal data and its processing should be considered within the scope of KVKK.
When we evaluate it within the processing conditions in Article 5 of the Law on the Protection of Personal Data, it is considered that the code can be processed within the scope of 1) mandatory data processing for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned, 2) express consent.
Explicit consent is a processing condition whose validity is subject to certain conditions, as repeated over and over in Board decisions. If the practice of not allowing people who are not asked for the HEPP code at the workplace entrance to the workplace will be implemented, it will not be possible to talk about an explicit consent here. Although it is debatable whether it will bring benefits or not, a voluntary inquiry seems possible if necessary clarification and explicit consent texts are prepared and approval is obtained from the relevant person.
Question in a nutshell: It is gathered at the point whether the compulsory HEPP code query process can be considered within the scope of “legitimate interest”.
In the context of mutual responsibilities established between the employee and the employer due to the personal nature of the employment contract, the employer has to protect the employee, take measures against the damages that the employee may suffer due to his work, and refrain from behaviors that will harm his interests.
The legal basis of the occupational health and safety measures that the employer should take is the employer's obligation to supervise the worker, which is regulated in the TCO No. 6098. The employer's duty to watch over the worker, TBK art. It is stated as follows in 417/f.2:
The employer is obliged to take all necessary measures to ensure occupational health and safety in the workplace, to keep the tools and equipment in full, and the workers are obliged to comply with all measures taken regarding occupational health and safety.
Beyond that, it is obligatory for the Employer to take all necessary measures to ensure the health and safety of workers in the workplace, in accordance with the OCCUPATIONAL HEALTH AND SAFETY LAW No. 6331.
(6331 Law Article 4: (1) The employer is obliged to ensure the occupational health and safety of the employees, and in this context; a) To take all kinds of measures, including the prevention of occupational risks, training and information, and organization, It works to provide the necessary tools and equipment, to adapt health and safety measures to changing conditions and to improve the current situation.)
There are many articles on the precautions to be taken in the workplace. In the texts published by the Ministry of Family and Labor (https://ailevecalisma. gov.tr/covid19/sikca-sorulan-questions) It has been stated that visitor entry and exit to the workplace should be restricted.
In the event that the employee is infected with the Coronavirus as a result of the employer not taking the necessary precautions at this stage, it is possible to accept this situation as a work accident depending on the nature of the concrete event.
Indeed, with the decision dated 15.04.2019, numbered 2018/5018 E.-2019/2931 K., by the 21st Civil Chamber of the Supreme Court of Appeals, "H1N1 in the case concerning a truck driver with H1N1 (swine flu)" has been accepted as "work accident". Although this case is not against the employer; Although it is a work accident detection lawsuit filed against SGK, it is important because it is a work accident detection case within the meaning of Article 13 of the Law No. 5510.
In addition to the issues we have explained, taking into account the prevention of the spread of the epidemic and the public interest, we believe that the Employer has a legal interest in implementing the mandatory HEPP Code inquiry.
However, the necessity of performing a "balance test" in the case of data processing based on "legitimate interest" is also emphasized by the Board in all relevant decisions. This balance test can vary from workplace to workplace, the need for protection of every workplace will not be the same, and the measures to be taken in this direction will also vary. In our article, an evaluation is made for a workplace that is deemed necessary to take this measure.
When we evaluate whether the HEPP code will harm the fundamental rights and freedoms of the person concerned, the fact that the HEPP code does not make any sense on its own means that the person's T.C. Since it does not contain other information such as an identity number and only includes a determination of whether the person has COVID-19, it is considered that it does not have a feature that restricts fundamental rights and freedoms.
We would like to state again that these evaluations should be made separately for each workplace and our opinions do not contain general conclusions.
We strongly remind you that the obligation to inform must be fulfilled, that the data must not be used or stored contrary to its purpose. In addition, it is known that the Personal Data Protection Authority has a study on the subject, and we would like to point out that it will be necessary to take action in line with the study that is thought to be published soon.
To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.