The HES-code and the data protection during COVID-19 pandemic in Turkey

Mobile applications are a beneficial tool to fight the coronavirus. With the mobile tracing applications, it became easier to cut the chain of transmission of the virus and reduce the number of daily cases. Many countries developed their applications and made them available to their citizens. While using these applications, it is necessary to protect the fundamental rights and freedoms of the individual. This frequent processing of individuals' health data has created legal problems regarding the protection of personal data. The purpose of this paper is to present a study on the Turkish Covid-19 tracing application “Hayat Eve Sığar-HES” and the legal issues behind the application.


I. Introduction
The Covid-19 pandemic has been affecting our daily lives for a long time.People gain new habits while adapting their lives to the new situation.New technological possibilities have emerged in managing the crisis.Digital tools such as mobile apps with tracing functionalities are very important in this process, identifying both known and unknown contacts of a confirmed case and possibly help in their follow up, in particular in settings with large numbers of cases where public health authorities can get overwhelmed. 1These mobile applications reduce the contact between individuals and help cut the transmission chain of the virus.In this context, applications were developed in some member states of the European Union (Germany-Corona-Warn-App, France-TousAntiCovid, Italy-Immuni, etc.), while in other member states it was stated that the said applications were in the development or planning stage. 2 The name of the application developed for the pandemic process in Turkey is "Hayat Eve Sığar (Life Fits Into Home)" shortly "HES".It is developed by the Turkish Ministry of Health.In this article, Turkey's HES application will be explained and then evaluated in terms of the protection of personal data.

II. "HES Application and HES Code"
HES Application (Life Fits Into Home Application): During the pandemic, the ministry of health developed HES, a phone application, that helps trace infection chains of SARS-CoV-2 in Turkey.With this application, people can access many data.For example, all districts of Turkey are 1 eHealth Network, 2020: 6. 2  Legal, 2020.graded according to the risk situation of Covid-19.It is possible to follow this situation on the map, which is contained in the app.You can also see if your family lives in high-risk areas or whether their workplaces are in high-risk areas.You can also follow up-to-date statistics from this application.
Another feature of the HES Application is the HES-Code.The HES code is a mandatory application by the Ministry of Health under coronavirus measures.The purpose of the HES code is to minimize the risks that may arise during the fight against coronavirus.This code shows whether you are corona positive or not.People who have been diagnosed with COVID-19 disease can be prevented from some places by this application.For example, you cannot get on any public transport or plane without a code.Another example is that you need to show the code when entering hospitals, universities, markets, shopping malls, museums, etc. Restaurants will only accept customers if they show the code when entering.HES Codes shared with institutions or individuals can be queried through the application or the services provided to the institutions, and it can be determined whether the relevant person is risky for Covid-19. 3

The Data Protection and HES-Code
Applications that process personal data interfere with the right to "privacy and protection of private life", which is one of the fundamental rights and freedoms of individuals.According to Paragraph 3 of Article 20 of the Turkish Constitution: "Everyone has the right to demand the protection of personal data concerning him/herself.This right includes being informed about personal data relating to him/herself, 3 Legal, 2020.www.bioethics.gr Cangil S. M. / Βιοηθικά 7( 2) Σεπτέμβριος 2021 accessing these data, requesting their correction or deletion, and learning whether they are used in line with their purposes.Personal data can only be processed in cases stipulated by law or with the explicit consent of the person". 4In the Turkish Penal Code, under the heading of "Offences Against Privacy and Confidentiality Violation of Confidentiality of Communication"; "Recording of Personal Data" (Article 135), "Illegally Obtaining or Giving Data" (Article 136), and "Destruction of Data" (Article 138) are organized as a crime. 5This right is also protected by international documents.
As a matter of fact, Article 8 of the European Convention on Human Rights regulates the "right to respect for private and family life". 6n private law, it is the Personal Data Protection Law No.6698 that will guide us in this regard and will be examined separately below.

The HES Code and Personal Data Protection Law No.6698
HES Code can be obtained in three ways; i) via HES Mobile Application, ii) by SMS sent to the number 2023, iii) by e-Devlet (translates in e-Government, which is an online resource providing access to government services).HES Codes are custom made and their management belongs to the person.The person can either limit the time that the HES Code can be used or allow it to be used indefinitely.Parents can obtain a code for their children under the age of 18.
The HES Code should be considered in the context of the protection of personal data.Under Article 6/1 of the Personal Data Protection Law No.6698 ("Law"), the HES Code can be considered in the special category of personal data since it contains information regarding the health of the person concerned. 7According to Article 6/2 "It is prohibited to process special categories of personal data without explicit consent of the data subject." 8However, in terms of HES Code, the following should also be taken into account: Some exceptions are stipulated in Article 28 of the Law, in another saying, some cases can be exempted from the application that is mentioned in the previous article.Accordingly, under Article 28/1(ç) of the Law: "Processing of personal data within the scope of preventive, protective and intelligencerelated activities by public institutions and organizations who are assigned and authorized for providing national defense, national security, public safety, public order or economic safety". 9In this regard, as stated in the public announcement of the Personal Data Protection Authority issued on March 27, 2020, since the current situation threatens public safety and public order, it is possible for the Ministry of Health and public institutions and organizations mentioned in the Article to process personal data. 10Therefore, the HES Code, which includes the health data of the relevant person, may be subject to data processing without the data subject being enlightened and without obtaining explicit consent. 11ata controllers other than the Ministry of Health and relevant public institutions/organizations, for example, places such as banks, shopping malls, or factories, etc., may not benefit from this exemption.Moreover, there is no legal basis allowing processing personal data or sensitive personal data (such as health data) for protecting public health or preventing epidemic risks. 12For this reason, under the Law, it will be necessary to obtain the explicit consent of data 7 Legal, 2020. 8Kvkk.gov.tr,2016. 9Ibidem. 10Yavuzdoğan and Başaran Savuran, 2020: 1. 11 Legal, 2020. 12Yavuzdoğan and Başaran Savuran, 2020:

III. Conclusion
The principle of legality applies in democratic states.Practices that may interfere with the fundamental rights and freedoms of individuals are strictly regulated by law.It is unlawful to make these restrictions only through regulatory actions of administrations, without relying on a law.Privacy and protection of private life are fundamental rights which are regulated in the Turkish constitution.This right also covers the protection of personal data.Any intervention to the protection of personal data must be based on the law.Data controllers other than public intuitions obtain the explicit consent of data subjects as regulated in Article 6/2 of Personal Data Protection Law No.6698 in terms of processing of health data.While the HES Code is being applied, the persons requesting the HES Code must do so with the explicit consent of the data subject, meaning the person giving the HES Code.The system currently being implemented in Turkey should be changed and brought into compliance with the Law.In this way, the principle of legality will be implemented and the protection area of fundamental rights and freedoms will be fully ensured.