The Personal Data Protection Authority has published a public announcement on the COVID-19 PCR test results and vaccine information applications on 28.09.2021.
With the rapid spread of the COVID-19 epidemic around the world, it has caused individual and social changes. Within the scope of the measures taken around the world, new legal problems have emerged, especially as a result of the interference with fundamental rights and freedoms. Due to the epidemic, it is possible to determine whether people have had COVID-19 before, whether they have been vaccinated and PCR / antibody test results, whether they are in quarantine by checking the HES code through Life Fits Home application, contamination-contact situations, etc. certain measures are taken by accessing personal information. However, it should be noted that such information is personal data of special nature in accordance with Article 6 of the Law on the Protection of Personal Data No. 6698. It should be noted that these data can only be processed with the express consent of the person and persons concerned. Therefore, it is open to debate whether explicit consent is obtained in cases where this information is recorded, shared and requested within the scope of social activities. According to the Institution, the processing of health data related to PCR testing and vaccination does not constitute a violation in terms of protecting public health, public security and public order in accordance with article 28/1(ç) of the Law on Protection of Personal Data No. 6698.
There is a regulation similar to KVKK in terms of processing health data in the European Union General Data Protection Regulation (GDPR). Pursuant to article 9/2(i) of the GDPR, it is regulated that the health data of the persons concerned can be processed without the express consent of the persons concerned, for the purpose of protecting public health against serious cross-border threats to health or for the public interest in the field of health services, public health, regardless of the distinction of public institution/private institution. However, unlike the regulations in KVKK, there is no limitation in GDPR on who can process health data.
As a result, vaccination, HES code, etc., which emerged as a result of the epidemic. As the processing and sharing of health data is new, uncertainties arise within the scope of personal data protection law. When this uncertainty is evaluated within the scope of COVID-19, it is necessary to protect public health and protect the public interest, but the confidentiality benefit of the health data of the concerned patients should not be ignored. When it comes to the provision and protection of public health, various decisions should be taken that the benefit to be obtained is superior to the sharing of health data and the benefit of confidentiality, and more detailed legal regulations should be brought about the protection of public health.