23 December 2020
Use of HES Code in the Workplace and KVK Precautions
The Ministry of Health has developed the necessary system integration between Hayat Eve Sığar application (“HES”) and the E-Devlet system in order to track COVID-19 exposure of individuals. The application assigns a specific HES code for each individual. This HES code displays the COVID-19 risk status of the respective person. If the HES code is shared with third parties, they may also obtain information regarding the COVID-19 risk status of the respective individual.
Subsequent to the integration of the application into E-Devlet, businesses may use the HES code inquiry services through:
- their own automation systems for if they have at least 500 employees; and
- the HES mobile application or E-Devlet if they have less than 500 employees.
In short, this system allows employers to review the COVID-19 risk status of their employees.
Evaluation of HES Code as Health Data
The HES code indicates a risk status of individuals based on the results of COVID-19 tests or their contact with a COVID-19 positive individual. For this reason, the HES code and inquiry results are considered as health data and classified as sensitive personal data. Thus; the use of service integration with HES and E-Government applications is the processing of an individual’s health data by automated means.
Nature of Health Data and Conditions of Process
Explicit consent is required for the processing of sensitive personal data. In the event explicit consent is not obtained from employees or other individuals (e.g. family members of employee) whose HES code is processed, the processing of such data may be unlawful.
There are exceptions that do not require explicit consent. For example, workplace physicians operating under public institutions and private enterprises do not need explicit consent to make HES Code inquiries.
Sanctions for Unlawful Processing of Health Data
Unlawful processing of personal data may result in an administrative fine within the scope of KVK. In addition, in terms of crimes regulating the recording and sharing of personal data set forth under the Turkish Criminal Code, managers, human resources professionals and people that are not within the scope of an exemption to carry out HES code inquiries may be punished with imprisoned. You can find a short article here in which we evaluate the crimes related to personal data stipulated under the Turkish Criminal Code.
The HES code and the risk status of the individuals are considered as health data and are classified as personal sensitive data. In the private sector, the processing of such data by managers and human resources professionals requires the explicit consent of the data subject (i.e. the individual the HES code relates to). In order to ensure lawful processing of personal it is recommended to ensure that personal data documents, including the data inventory, privacy notice and consent, are altered to include data processing with respect to the HES code.