The Americas: Argentina | Brazil | Mexico
East Asia, South Asia and Pacific: Australia | China | India | Japan | South Korea | Taiwan
Europe and Central Asia: European Union | England | France | Iceland | Italy | Norway | Portugal | Russia | Spain | Turkey
Middle East and Africa: Iran | Israel | South Africa | United Arab Emirates
As of May 22, 2020, Turkey had 154,500 cases of COVID-19 and 4,276 COVID-19 related deaths. The country has wide smartphone possession and a high rate of mobile internet use, with 75% of the population using the internet and 89% of internet users 16 to 64 years of age owning a smartphone in 2019. The Turkish Ministry of Health employs electronic systems implemented via mobile applications to inform the populace of the risks, track the spread of the virus, and implement isolation measures. To date, the Ministry of Health has launched two mobile applications; one primarily for warning users when they approach areas with a high risk of infection and preventing high-risk individuals from using public vehicles for intercity travel, and the other for assigning positive cases and their possible contacts to members of contact tracing teams. Personal health data collected by these applications appear to be processed under a special rule allowing sensitive health data to be processed without the explicit consent of data subjects for purposes of the protection of public health.
In Turkish law, the general personal data protection framework is set by the Law on the Protection of Personal Data (LPPD). The Turkish personal data protection framework is largely harmonized with EU data protection law, albeit there exist certain divergences. In the electronic communications sector, the retention of traffic data, including certain categories of personal data, and the processing of location data by service providers are governed by the Regulation on the Processing and Protection of the Privacy of Personal Data in the Electronic Communications Sector (ECommDPR). The ECommDPR allows the use of location data without the consent of the data subject in cases of disasters, emergencies, and emergency calls.
According to the Turkish Ministry of Health, by May 22, 2020, Turkey had 154,500 cases of COVID-19 and 4,276 COVID-19 related deaths with 116,100 patients recovered and 1.77 million tests administered; 800 patients remained in ICUs, of which 401 were intubated. Turkey was ninth in the list of countries with the most COVID-19 cases on May 22nd, according to the John Hopkins University Coronavirus Resource Center.
In response to the outbreak, the Turkish government has deployed an array of electronic measures aimed at informing the populace of the risks, tracking the spread of the virus, and implementing isolation measures. These measures are mainly implemented with mobile applications running on smartphones or tablet computers, which citizens can install on their devices on a voluntary basis. The Ministry of Health appears to process the personal data collected though these applications under a public health related exception regime that exists under the Turkish personal data protection framework.
Turkey has wide smartphone possession and a high rate of mobile internet use. According to data released by the Turkish Statistical Institute, 98.7% of households in Turkey had a mobile phone (including smartphones) in 2019, with 88.3% of households having internet access and 75.3% of the population using the internet. According to the Digital 2020 report published by We Are Social, a UK-based digital marketing agency, of the 62.07 million internet users in Turkey¾74% of the population¾58.23 million (93.8%) were also mobile internet users. The report found that 74.8% of web traffic (websites served to web browsers) is attributable to mobile phone use, and 89% of internet users 16 to 64 years of age own a smartphone.
II. Legal Framework
A. Privacy and Data Protection
Article 20 of the Constitution of Turkey enshrines a person’s right to protection of his or her privacy and personal data, providing that “[p]ersonal data can be processed only in cases envisaged by law or by the person’s explicit consent.” Turkish personal data protection law is largely harmonized with the European Union’s data protection framework. The main national legal framework that provides the general rules and principles of personal data protection in Turkish law is set forth in the Law on the Protection of Personal Data (LPPD) and the various relevant secondary legislation that governs certain aspects of personal data protection law such as the processing of personal health data, the protection of personal data in electronic communications, and the erasure, destruction, or anonymization of personal data. These are complemented by personal data protection statutes in numerous laws that regulate the provision of services in the public and private sectors. The protection of privacy and personal data in the electronic communications sector is governed by the Regulation on the Processing and Protection of the Privacy of Personal Data in the Electronic Communications Sector (ECommDPR).
1. Law on the Protection of Personal Data
The LPPD sets forth the principles that govern the processing of personal data, providing that any processing of data must be done in conformity with the law and in good faith, that the data must be accurate and up to date, that the data must be processed for a specified, explicit, and legitimate purpose and the processing must be relevant, limited, and proportionate to the purposes of processing, and that the data must be stored only for the duration that is necessitated by law or by the purpose for which the data was collected. The LPPD sets forth the explicit consent of the data subject as the principal condition for the processing of personal data, and provides an additional list of conditions under which personal data may be processed without the explicit consent of the data subject.
Similar to the scheme under EU law, the LPPD applies a special protection regime to ”special categories of personal data,” namely, data relating to “race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometrics and genetics.” These categories of personal data, except data relating to health and sexual life, may be processed without the explicit consent of the data subject only if prescribed by law. On the other hand, according to the exception regime provided under article 6(3) of the LPPD, data relating to health and sexual life may only be processed without explicit consent “for purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing by persons under the obligation of secrecy or authorized institutions and organizations.” Personal data processed in accordance with the law must be erased, destroyed, or anonymized ex officio by the data controller or upon request from the data subject when the reasons necessitating the processing cease to exist. The rules and principles that govern the erasure, destruction, and anonymization process are provided in a regulation and guidelines issued by the Turkish Data Protection Authority (DPA).
2. Regulation of Personal Data Processing and Privacy in the Electronic Communications Sector
The ECommDPR governs the specialized personal data protection regime that electronic communications service providers operating under the Law on Electronic Communications (LEC) must comply with. The ECommDPR sets forth rules regarding the management of data safety, notification of risks and data breaches to data subjects, the processing and retention of data, including traffic data and location data, and certain privacy services that electronic communication service providers must provide to their customers.
The ECommDPR prohibits the listening, tapping, storage, termination, or surveillance of communication without the consent of all parties to the communication, except in cases prescribed by law or in accordance with a court decision. Moreover, service providers may not process traffic data, defined as “data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof,” for purposes that are not within the scope of the services they provide. Traffic data may be processed by service providers only for purposes such as traffic management, interconnection, billing, fraud prevention, and dispute resolution. ECommDPR provides the purposes for which certain categories of traffic data may be retained by service providers and prescribes the mandatory retention duration of certain traffic data.
B. Data Retention and Location Tracking
1. Data Retention
According to article 4(2)(d) of the LPPD, personal data may be retained for no longer than is provided in special laws or is necessary for the purposes for which the personal data are processed. Rules regarding the retention of personal data processed in the context of the provision of electronic communications are provided in the ECommDPR and based on the authority delegated by article 51 of the LEC, which is the special law regulating the electronic communications sector.
The ECommDPR provides a list of categories of data that electronic communications service providers are required to retain; the categories fall under data necessary for the following purposes: to trace and identify the source of a communication, to identify the destination of a communication, to identify the date, time, and duration of a communication, to identify the type of communication, to identify users’ communication equipment or what purports to be their equipment, and to identify the location of mobile communication equipment. Service providers are required to retain this data for one year from the date the communication occurred, and for three months for calls that are not connected. The retained data must be stored in Turkey, and it must be destroyed or anonymized within one month after the date on which the mandated retention period ends.
Additionally, the ECommDPR requires service providers to retain personal data related to criminal investigations, inspections, audits, and disputes until the relevant process has ended, and retain records regarding access to personal data and relevant systems for four years. Service providers must also retain records on the consent provided by the users regarding the processing of their personal data at least until the subscription of the user is terminated.
2. Location Tracking
The LEC and the ECommDPR echo the same principle set forth in the EU ePrivacy Directive concerning the processing of location data, providing that location data may only be processed if it is made anonymous, or with the consent of the users or subscribers to the extent and for the duration necessary for the provision of a value-added electronic communication service. Location data is defined as “data processed in an electronic communications network or via an electronic communications service, indicating the geographical position of the terminal equipment of a user.” The ECommDPR further provides that service providers must offer users means to temporarily disallow the use of location data (data that is not traffic data), and means to withdraw their consent for the use of location data easily, immediately, and free of charge. ECommDPR also provides for an exception to the consent rule, stipulating that location data may be processed without the consent of the user only “in cases of disasters, emergency, or in the context of emergency calls.”
III. Electronic Measures to Fight COVID-19 Spread
In response to the need for employing technological solutions to track and limit the spread of COVID-19, the Turkish Ministry of Health has launched several projects incorporating mobile applications that run on smartphones or tablet computers. These projects are complemented by the regular Turkish public digital health data management platform called E-Nabız (E-Pulse). Also, the DPA has issued two guidelines specific to the processing of personal data by the Ministry of Health and authorized institutions within the context of public health measures deployed to counter the outbreak.
A. Guidelines of the Turkish Data Protection Authority
The DPA issued two guidance statements relevant to electronic measures that could be deployed to fight the COVID-19 outbreak. On March 27, 2020, the DPA issued guidance on the processing of personal data, especially health data, in the context of the COVID-19 outbreak. The DPA noted that employers were authorized to share the relevant personal data of persons who contracted COVID-19 with public authorities based on article 8 of the LPPD, which authorizes the transfer of health data for purposes of the protection of public health. The statement further explained that the LPPD would not apply to the processing of health data by the Ministry of Health and other public institutions for the purposes of fighting the outbreak, citing the derogation stipulated in article 28(1)(ç) providing that the LPPD will not apply to the “[p]rocessing of personal data within the scope of preventive, protective and intelligence-related activities by public institutions and organizations who are assigned and authorized for providing national defence, national security, public safety, public order or economic safety.”
The DPA issued a second guidance issued on April 9, 2020, regarding the use of location data in connection with COVID-19 measures. The DPA explained that location data, as defined in ECommDPR, is a type of personal data that would normally be protected under the LPPD. However, the DPA reiterated its position that the processing of data by the Ministry of Health and other public institutions and persons authorized by law for the purpose of fighting the outbreak would fall under the article 28(1)(ç) derogation of the LPPD, thus concluding that public institutions could process location data under the derogation as well. The DPA reiterated that although such processing would be within the scope of the derogation, the institutions and persons undertaking such processing must take all technical and administrative measures necessary to ensure the security and privacy of the data and must erase or destroy the data once the reasons necessitating the processing cease to exist.
B. Electronic Measures Deployed by the Ministry of Health Against the COVID-19 Outbreak
Before the outbreak, the Turkish public health system already employed an extensive electronic health data management system called Sağlık-NET, with patient access to the system provided via the online portal E-Nabız. The use of this portal is voluntary; users sign up to the system with their names and Turkish ID numbers and may access the system via website or mobile application. The Ministry of Health requires all healthcare providers to upload patients’ medical test results, diagnoses, and prescriptions to the centralized system, and the data remain in storage with the Ministry of Health without being anonymized, which has caused concerns among numerous commentators, including the Turkish Medical Association. Patients can view their health data uploaded in the system through their E-Nabız accounts, and they have some control over the extent of access that healthcare providers have to the data, by giving or withholding consent electronically on the platform. The Regulation on Personal Health Data provides standard rules for the access of healthcare providers to the health data of patients who are not E-Nabız users. E-Nabız users who have taken COVID-19 tests can see their results in their E-Nabız accounts.
Besides E-Nabız, the Ministry of Health has set up two digital systems specific to the COVID-19 containment effort, addressing contact tracing and isolation.
On April 8, 2020, the Ministry of Health launched the ”Pandemic Isolation Tracking Project” (Pandemi İzolasyon Takip Projesi—PITP). The PITP incorporates the mobile application ”Life Fits Home” (Hayat Eve Sığar), which users can download. The application collects health data from users who voluntarily respond to questions about their age, how they feel physically, whether they are experiencing symptoms, and whether they have preexisting medical conditions. This information is then used for assigning a risk factor to the user and populating an epidemic heat map that can be viewed by application users, if the user shares his or her location data with the application. Users may also track the risk status and location of their consenting family members by adding them to their profile. The application warns the user if he or she, or a family member who was added to the profile, enters a high-risk zone. The application shows the user the nearest essential facilities such as hospitals, pharmacies, markets, and public transportation on a map.
The application incorporates a module for creating a 10 or 12 digit code that includes information regarding the user’s infection risk status. On May 30, 2020, the Ministry of Internal Affairs issued a circular ordering the use of the code, called a “HES code,” for purchases of all intercity and international travel tickets on public modes of transportation, including air travel. Travelers will not be allowed by operators on public transportation vehicles if their HES codes indicate that they were diagnosed as positive, or they have been in contact with a person diagnosed as such. Moreover, the system will warn passengers who have been in a public transportation vehicle in the last 14 days with a person who was not indicated to be at risk by their HES code at the time of travel but has later been determined to be at risk. Persons who are issued Turkish ID numbers can obtain HES codes via the Life Fits Home mobile application, through Turkey’s general e-government portal e-Devlet, or via SMS (short message service). Persons who do not have Turkish ID numbers will not be required to have HES codes to travel until June 5; beginning on June 6, these persons will be able to obtain codes via SMS by using their personal information and passport numbers. HES codes do not appear to include identifiable personal data.
The mobile application also incorporates access to the Ministry’s surgical mask distribution scheme, whereby users who are between 20 and 65 years of age can download a data matrix code issued by the Ministry with which to obtain five free surgical masks every 10 days from stocked pharmacies. The free mask distribution scheme complemented the Turkish government’s strategy of imposing a stricter curfew on persons who are younger than 20 and older than 65, which aims to enable the low-risk and economically active population to keep participating in production while keeping the high-risk and economically less active population at home.
The Ministry has launched a separate mobile application for the use of contact tracing teams. This application works with the Ministry’s ”Transmission and Isolation Tracking System” (Filyasyon ve İzolasyon Takip Sistemi—FITAS). Through the application, members of contact tracing teams can access the contact information of patients who are assigned to them (persons who have tested positive, or are reported to have had contact with a positive case) to reach these persons to administer tests and inquire about their previous movements and contacts.
Significantly, the privacy policies of both mobile applications state that the Ministry of Health processes the data collected via the applications under the exception for the processing of special categories of personal data provided in article 6(3) of the LPPD, which authorizes the use of health data by authorized institutions without the explicit consent of data subjects for purposes of, among other things, protection of public health, medical diagnosis, treatment, or care services. A press release issued by the Directorate of Communications of the Presidency of Turkey confirmed that the government viewed the data collection and processing for purposes of the PITP as being in accordance with article 6(3) of the LPPD. Thus, it does not appear that the government is currently making use of the article 28(1)(ç) public safety/order derogation in the LPPD as the basis of its processing of health data in connection with the electronic measures that it employs in the fight against the spread of COVID-19.
Prepared by Kayahan Cantekin
Foreign Law Specialist
 Law on the Protection of Personal Data, Law No. 6698, Official Gazette No. 29677 (Apr. 7, 2016), https://perma.cc/EWS6-NN77 (unofficial English translation); Regulation on Personal Health Data, Official Gazette No. 30808, (June 21, 2019), https://perma.cc/7GX5-457G (in Turkish); Regulation on the Processing and Protection of the Privacy of Personal Data in the Electronic Communications Sector (ECommDPR), Official Gazette No. 28363 (July 24, 2012), https://perma.cc/ZL5E-38RL (in Turkish); Regulation on the Erasure, Destruction, or Anonymization of Personal Data, Official Gazette No. 30224 (Sept. 28, 2017), https://perma.cc/JY8Z-DBPG (in Turkish).
 ECommDPR, supra note 7.
 LPPD art. 4(2).
 Id. art. 5.
 Id. art. 6(1).
 Id. art. 6(3).
 Id. art. 7(1).
 Regulation on the Erasure, Destruction, or Anonymization of Personal Data, supra note 7.
 ECommDPR arts. 5, 6, 8-15, and 17-20, respectively.
 ECommDPR art. 7(1).
 Id. art. 8(1).
 Id. art. 8(2).
 Id. art. 14(1).
 LEC art. 51(8); ECommDPR art. 11(1).
 ECommDPR art. 3(1)(j).
 Id. art. 11(1) and (2).
 Id. art. 11(3).
 LPPD art. 8(2), by reference to LPPD art. 6(3).
 Covid-19 ile mücadelede konum verisinin işlenmesi ve kişilerin hareketliliklerinin izlenmesi hakkinda bilinmesi gerekenler, Turkish Data Protection Authority (Apr. 9, 2020), https://perma.cc/KD38-E3AL.
 Gov’t of Turkey, About e-Nabız, https://perma.cc/W6RF-EKMB (in English). The Ministry of Health bases the legality of the Sağlık-NET system on art. 3(f) of the Health Services Code, Law No. 3359, Official Gazette No. 19461 (May 15, 1987), https://perma.cc/9FGR-76HZ (in Turkish).
 See, e.g., Turkish Med. Ass’n, e-Nabız çöktü! (Sept. 13, 2019), https://perma.cc/CU8C-5VSD; for the administrative order governing the integration of all healthcare providers with the system, see Turkish Ministry of Health, Sağlık.Net Online ve e-Nabız, Circular No. 67189002 – 2016/6 (Apr. 26, 2016), https://perma.cc/ZR4T-872D.
 Regulation on Personal Health Data, supra note 7, art. 6.
 Arwa Damon & Gul Tuysuz, With Weekend Lockdowns and Age-Specific Restrictions, Turkey Takes a Different Coronavirus Approach, CNN (Apr. 17, 2020), https://perma.cc/9EUB-VMVT. This regime was somewhat relaxed by an order of the Ministry of Internal Affairs issued on May 29, 2020, whereby persons between 18 and 20 years of age and persons who were older than 65 but could prove that they were economically active were exempted from the curfews. 81 İl Valiliğine 18 Yaş Altı ile 65 Yaş ve Üzeri Kişilerin Sokağa Çıkma Kısıtlaması Genelgesi, Turkish Ministry of Health (May 29, 2020), https://perma.cc/G5F2-UMDU.
Last Updated: 12/30/2020