Processing Location Data in Scope of COVID-19 Measures
The "Pandemic Isolation Tracking Project", which aims to observe the movements of quarantined people and regions, has been announced by the Presidency Of The Republic Of Turkey; in the announcement, it is stated that the aim of the project is to make analysis to prevent further spread of the epidemic.
In the project, which will be carried out in cooperation with the Ministry of Health, Information Technologies and Communications Authority and all GSM operators, it has been realized that the location information of the individuals will be monitored by GSM operators, which may violate personal data security and privacy.
By publishing an announcement regarding the subject on 09.04.2020, the Personal Data Protection Authority has declared that the processing of the location data by the authorized institutions and organizations in order to prevent further spread of the pandemic will be considered under the exception of the Article 28 of KVKK, as the epidemic disease threatens public safety and public order; in other words, that the Law shall not be applied for this activity.
In other words, although it is not yet to be clarified how the process will be carried out, it is not possible to carry out analysis studies such as providing effective isolation of people who have or are likely to be contacted by the disease through location information monitored by mobile applications or network data, conducting analysis studies such as mapping the further spreading of the disease or identifying crowded places; there is no legal obstacle to legitimate processing, especially in terms of the legislation on the protection of personal data.
However, although the said application is subject to the exemption clause of KVKK, considering the Paragraph 3 of the Article 20 of the Constitution and the Article 8 of the European Convention on Human Rights, it is clear that the authorization of public institutions is not unlimited in this sense; they must comply with the principle of proportionality and take the necessary measures to ensure data security.
Regarding this subject, the Authority emphasized that data security should be taken into consideration in the methods used to ensure public order and public security; and declared that the relevant institutions and organizations should take all necessary technical and administrative measures regarding the protection of personal data. In addition, the Authority explicitly stated that the personal data should be destroyed if the reasons requiring the processing of this data no longer exist.
You may contact us if you require any further information on the subject.