Corona Outbreak: Announcement on Processing of Location Data by Turkish DPA

Turkish Personal Data Protection Authority (“the Authority”) has published a new announcement regarding the data processing activities on the location data for the purposes of combatting Covid-19. Accordingly, in order to prevent the spread of coronavirus in various countries; technological practices such as mobile applications with geolocation tools are being used for processing health and location data with the contact information of related persons who have infected or carry risk of being infected for the treatment and quarantine processes.

In addition, the Authority stated that the location data which is a personal data under the Law on the Protection of Personal Data No. 6698 (“Law No. 6698”) has been defined as “Specific data that determines the geographic location of a device belonging to a user of the public electronic communication services and is being processed in the electronic communications network or via the electronic communications service” in the Regulation on Processing of Personal Data and Protection of Confidentiality in the Electronic Communication Sector. However, as per the Article 28/1-ç of the Law No. 6698, if the data is processed by the authorized public institutions within the scope of intelligence activities, national defense, public security and order, such processing shall be exempted from the provisions of the Law No. 6698. The Authority stated that, in order to mitigate the effects of the virus in cases where it threatens public order and public safety, the authorized public institutions obligated to ensure  isolation of people who have been diagnosed with epidemic disease are entitled to determine the crowded areas by processing the location data and develop measures in this context. Therefore, such data processing activities to be carried out by public institutions and organizations are evaluated within the scope of the Article 28/1-ç of the Law No. 6698 and there is no obstacle to the processing of health or location data for these institutions.

The Authority also highlighted that even though such data is processed within the scope of the Article 28/1-ç of the Law No. 6698, the necessary technical and organizational measures have to be implemented to mitigate the risks regarding processing of health and location data together and such data have to be erased or destructed after the conditions requiring such processing ceased to exist.