As it is known, the principles of transfer of personal data abroad are regulated in Article 9 of KVKK. According to this regulation, in transfers to countries that are not counted among adequate countries, with a commitment to be signed between the person to whom the transfer will be made and the person who will make the transfer, permission must be obtained from the Board. However, adequate countries have not yet been announced by the Authority and it is likely that it will take time to identify safe countries, as we see from the "Criteria to be Based on Determining Countries with Sufficient Protection" published by the Authority. Since the adequate countries have not yet been announced, although people go for permission from the Board, there are also some difficulties in this process. Considering these difficulties, the Authority announced the Binding Corporate Rules institution and announced the method to facilitate data transfer for multinational group of companies. In this method announced, the process of obtaining permission from the Board will be carried out, as well. However, it should be noted that although a different alternative has been presented by the Authority, the question marks in transferring abroad have still not been eliminated, since the adequate countries have not been announced yet. Besides, as we will explain below, the announcement that the application of the Binding Corporate Rules will be finalized by the Authority in 1 year and this period will likely to be extended for 6-month periods shows that this process will not be short, as well.

The "Pandemic Isolation Tracking Project", which aims to observe the movements of quarantined people and regions, has been announced by the Presidency Of The Republic Of Turkey; in the announcement, it is stated that the aim of the project is to make analysis to prevent further spread of the epidemic.

In the project, which will be carried out in cooperation with the Ministry of Health, Information Technologies and Communications Authority and all GSM operators, it has been realized that the location information of the individuals will be monitored by GSM operators, which may violate personal data security and privacy.

By publishing an announcement regarding the subject on 09.04.2020, the Personal Data Protection Authority has declared that the processing of the location data by the authorized institutions and organizations in order to prevent further spread of the pandemic will be considered under the exception of the Article 28 of KVKK, as the epidemic disease threatens public safety and public order; in other words, that the Law shall not be applied for this activity.

Due to the Covid-19 Coronavirus epidemic, which is on the agenda of the whole world, many companies switched to remote working. However, some companies could not start working remotely, from homes due to lack of technical infrastructure, while some companies switched to remote working in means of working from home without being aware of the systems that they had to set up in their technical systems and without taking the necessary precautions.

Among the guideline of frequently asked questions published by Turkish Personal Data Protection Authority (KVKK) and ICO on the subject, the question "What kind of security measures should be taken to work from home?" has been answered stating that data protection is not a barrier to working from home and that usual security measures should be applied during working remotely, as well.

In the Guidelines for Safe ‘Remote Work’ published by the National Cyber Incidents Response Center within the scope of corona virus outbreak measures, the importance of the measures are described as follows: Defining a time-out for maximum connection time on systems, temporary establishment of the rules defined during remote work, "source IP" restrictions for remote connections where possible, multi-factor authentication and time-based authorization measures for access, ensure that remote access is not permitted for access to any critical systems that should not be defined according to the risk assessment.

So, what aspects should companies take into consideration when working remotely?

Due to the Covid-19 virus, necessary precautions have been taken by the organizations; within the scope of these precautions, the possibility of unauthorized access to personal data has emerged, including health data of employees or third parties. Organizations should be very careful to avoid possible violations which might directly impact the rights and freedoms of persons when taking relevant preventive measures. In this process, organizations can follow the methods in the precautions to be taken, which are elaborated as follows:

1. Remote Working

In order to ensure business continuity, an organization may go for the option of remote working in this period. In such case, if organizations do not already have sufficient technical infrastructure, certain difficulties may be faced. For example, within the scope of this measure taken to protect public health, the personal phone numbers of people who do not use the company phone for communication between people, other employees, business partners, customers, suppliers etc., can be shared with third parties. While this transfer/sharing of information has a legitimate aim, it is well known that it must be based on the explicit consent of individuals. In cases where people do not give explicit consent or withdraw their explicit consent, providing a company line to the person would be an appropriate solution.