According to Turkish Personal Data Protection Law No. 6698 ("KVKK"), personal data can be defined as any information relating to an identified or identifiable natural person1. Personal data can be processed with explicit consent or under the conditions indicated within the scope of KVKK2. In this sense, it is also necessary to take into account the situation of employees whose personal data is seriously processed under KVKK.
Within the scope of employment relation between employee and employer, by the nature of the Labour Act No:4857 ("Labour Act") various personal data of employee's are processed such as data of first name-surname, address, wage, criminal record document, medical release, picture, video footage, every other data of employee's personnel file, location information of allocated vehicle, recording, mailing, etc. In this case, the employer often accepted as a "data controller"3, who determines the purposes and means of the processing of personal data and responsible for the establishment and management of the filing system.
The processing of personal data as said above shall comply with the "being in conformity with the law and good faith", "being accurate and if necessary, up to date", "being processed for specified, explicit, and legitimate purposes", "being relevant, limited and proportionate to the purposes for which data are processed", and "being stored only for the time designated by relevant legislation or necessitated by the purpose for which data are collected" principles and specified conditions according to KVKK. 4Concerning the subject, article 419 of the Turkish Code of Obligations No. 6098 states that employee's personal data can only be used by the employer when it is related to the employee's predisposition to work and necessary for the performance of the contract of employment. In other legislation, article 75 of Labour Act states that the employer is under the obligation to use the information he has obtained about the employee in accordance with the principles of honesty and law and not to disclose the information for which the employee has a justifiable interest in keeping as a secret.
Particularly, the processing and keeping of an employee's personnel file by the data controller has become an important issue. As stated in the decisions and guidelines of The Turkish Personal Data Protection Board ("Board") the personal data processed within employee's personnel file should be minimized, except laid down by the other laws, and many technical and administrative measures to be taken. Examples of these measures are stated below;
- Protection of documents in metal and locked cabinets,
- Protection of special categories of personal data, such as a bill of health, in metal and locked cabinets which are separate from other documents in the on-site doctor's room,
- Providing access to folder and documents only in the relevant department (e.g. ,human resources),
- Only determined employee's within the relevant department having access to documents, (e.g. access to two out of four human resources employees) etc.
As stated above, technical/administrative measures to be taken throughout the recruitment process and employment relation may vary in all circumstances. According to Labour Act, many activities of the employer in employment relation can be included in the scope of "Employer's right to govern" in right or wrong manner, but the determination of restrictions of employer's right the govern has also great importance in terms of labour law and data security. For instance, although the employer's camera (CCTV) alignment is included in the scope of the employer's right of governing, the employer should inform the employees about the duration, number of cameras, purpose, places of camera, and also be in the advantage of the employer. Either way, cameras should not able to directly shoot the employer's personal work area or personal spaces such as shower areas, toilets, restrooms, etc. Concerning the subject, monitoring systems at the workplace or tracking of employer's office phone and office mail can be given as an example of featured situations of employer's right to govern within the context of data protection. In addition to all these, the activities of the employer should be carried into effect in accordance with the "Principle of Proportionate".
Consequently, it should be noted that the principles of labour law and KVKK interpreted together in employment relations. Employers should take into consideration that they may meet the administrative fines laid down according to articles 16 and 17 of the KVKK in case of data breaches concerning employees and workplaces. Within this framework, an employer who has not completed their compliance under KVKK and has not fulfilled their obligations referring to Article 18 of KVKK may be fined from Try 5.000,00 up to 1.000.000,00 Turkish liras.5
1- İş Hukuku, Prof. Dr. Sarper Süzek
2- İşçinin Kişiliğinin ve Kişisel Verilerinin Korunması, Erbil Beytar
3- İş İlişkisinde İşçinin Kişisel Verilerinin Korunması, Av. Selen Uncular
1 Article 3/1 (d), Turkish Personal Data Protection Law No:6698
2 Article 5 and 6, Turkish Personal Data Protection Law No:6698
3 Article 3/1 (ı), Turkish Personal Data Protection Law No:6698
4 Article 4, Turkish Personal Data Protection Law No:6698
5 Article 18, Turkish Personal Data Protection Law No:6698
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.