As the usage area of the HES Code expands, the problems regarding how the HES Code will be evaluated within the scope of the Law on the Protection of Personal Data (“Law”) also increase. Having access to health data such as Covid-19 risk status, PCR test result information and vaccination information of the persons related to the questioning of the HES Code poses a risk in terms of compliance with the Law. It. The points that data controllers should pay attention to when querying the HEPP Code are mentioned in the rest of the article.
What Is HES Code?
The HES (Hayat Eve Sığar – Life Fits into Home) Code is a digital code developed by the Ministry of Health, which facilitates the implementation of the measures taken during the fight against the Covid-19 pandemic. The purpose of using the HES Code is to prevent the spread of the Covid-19 epidemic disease, to minimize the risk of disease and to inform the society about it. While the HES Code was used only in transportation in the beginning, today it is questioned at the entrance to shopping malls, public institutions and organizations and banks. In addition, some workplaces are obliged to question their employees’ HES codes.
What are the Processing Conditions of Data Concerning Health in Terms of Law No. 6698?
In the Article 6/3 of the Law, only exceptional cases such as the protection of public health, preventive medicine, medical diagnosis, treatment and care services are counted without seeking the explicit consent of the person concerned for personal data regarding health and sexual life. Again, in the Law, it is stated that even in the cases listed, it can only be processed by persons or authorized institutions and organizations that are under the obligation to keep secrets. If the conditions listed in the Law are not possible for the concrete event, the explicit consent of the data subject must be obtained. In this case, it is important for data controllers to take action in accordance with the Law on express consent, secondary legislation and the guidelines and decisions published by the Board.
Should Explicit Consent Be Obtained Before Questioning the HES Code?
HES Code query can be done with the “Hayat Eve Sığar” (Life Fits into Home) mobile application developed by the Ministry of Health. In addition, for workplaces with more than 500 employees, a collective HES Code query can be made by providing integration with the Ministry of Health.
On September 28, 2021, the Public Announcement on the Covid-19 PCR Test Result and Vaccine Information Applications was published by the Personal Data Protection Board (“Board”). In its statement, the Board discussed the PCR test results and the processing of Covid-19 vaccine information both in terms of the regulations in the Law, as they are special categories of personal data, and in terms of the regulations made within the scope of combating the Covid-19 pandemic. In this public announcement, the letter sent by the Ministry of Internal Affairs to 81 provincial governorships was also mentioned, stating that workers who are not vaccinated against Covid-19, who are brought to their workplaces, have to have PCR tests performed once a week and these will be recorded.
From the statements in the public announcement, the Authority has clarified that public institutions and organizations will be completely exempted from the Law in the processing of PCR test results and vaccine information within the scope of combating the pandemic. In addition, there is no clear explanation for workplaces that are not public institutions and organizations. However, at the end of the announcement text, “It is considered that personal data processing activities that are outside of or exceed the activities carried out for the purpose of protecting public security and public order within the scope of the Covid-19 epidemic will be covered by the Law.” As can be understood from the statement, we can say that public institutions and organizations that are authorized to ensure public safety or public order are exempted in terms of situations that fall within the scope of preventive and protective activities, which are included in Article 28 of the Law.
The data controller, who will process the HES Codes, should evaluate the data processing activity separately on the basis of each concrete case. For example, as we explained above, exceptional cases within the scope of Article 28 of the Law are completely excluded from the Law. On the other hand, whether the HES codes will be questioned in the workplaces should be evaluated separately in the face of the concrete case. This evaluation should be done by taking into consideration the circumstances such as whether the workplace doctor performs the query, whether the results of the query are recorded in a system, and whether the HES codes are transferred to third parties.
We would like to emphasize that before each HES code inquiry and the inquiry process by recording the HES codes in an electronic system, in any case, the relevant persons should be informed in accordance with the Law.
Ezginaz Çalışır, Attorney At Law