May 2021 – The Turkish Personal Data Protection Board (the “Board”) has evaluated the enforcement of Personal Data Protection Law No 6698 (the “Law”) in relation to health data processed by workplace doctors transferred as part of an asset transfer transaction.
In the case in question, the assets of a company (the “Transferor”) were acquired by another company (the “Transferee”). According to the allegations of the Complainant, who is a former employee of the Transferor:
What did the Transferee say in its defence?
The Transferee stated that its compliance process is on-going and that the Complainant’s personal data is not protected under the Law, as the processing occurred in 2014–2015, which is prior to the effective date of the Law, i.e., 7 April 2016.
The Transferee further indicated that it processed the personal data of employees on the grounds that it is explicitly stipulated by legislation and that it is necessary to fulfil a legal obligation. The Transferee also stated regarding the sensitive data that the workplace doctor processed the health data of the employees without obtaining explicit consent for the reason that workplace doctors are under the obligation of confidentiality.
What was the Board’s approach?
In its decision the Board highlighted that the Transferee processed the Complainant’s personal data in 2014–2015, before the effective date of the Law, and therefore failure to fulfil the obligation to inform the data subject was not deemed as a violation of the Law.
The Board also confirmed that data controllers can process the health data of both current and former employees in a manner that limits the access of workplace doctors, as workplace doctors are under the obligation of confidentiality.
From the Board’s decision it is clear that if the completion date of an asset transfer is before the effective date of the Law, the Transferee is not required to fulfil the obligations arising from the Law.
Another significant point stated in the decision is that workplace doctors may process health data without obtaining the explicit consents of employees, provided that the data controllers take adequate measures to protect sensitive data.