Protection of Personal Data in Turkish Labor Law
PROTECTION OF PERSONAL DATA AND LABOR LAW
The principles and procedures related to the protection of personal data are regulated by law. In this context, the Personal Data Protection Law No. 6698 defines personal data as any kind of information related to an identified or identifiable natural person. This includes identity information, origin, physical characteristics, health information, educational status, employment history, residence, association and union memberships, profession, financial information, criminal record information, phone number, image, genetic information, contact information, social media activities, and any other data that characterizes the person.
The concept of processing personal data refers to any operation performed on personal data, whether by automatic or non-automatic means, such as obtaining, recording, storing, maintaining, changing, reorganizing, disclosing, transferring, acquiring, making available, classifying, or preventing the use of personal data.
Personal data cannot be processed without the explicit consent of the relevant person. Personal data can be processed without the explicit consent of the relevant person if one of the following conditions exists:
1. Explicitly stipulated by laws.
2. Necessary for the protection of the life or physical integrity of the person or another person who is unable to explain his consent due to actual impossibility or whose consent is not legally valid.
3. Necessary for the processing of personal data of the parties to a contract, provided that it is directly related to the establishment or performance of the contract.
4. Necessary for the data controller to fulfill its legal obligation.
5. Made public by the relevant person himself.
6. Necessary for the establishment, use, or protection of a right.
7. Necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person.
Undoubtedly, the regulations in the Personal Data Protection Law will be binding for the parties of the employment relationship as well. This binding nature is reflected in several other laws.
Article 75 of the Labor Law explicitly imposes on the employer the obligation to organize a personnel file for each employee it employs; to keep in this file any documents and records that it is obliged to arrange according to the Labor Law and other laws, alongside the employee’s identity information, and to present them to the competent authorities and officials when requested. Similarly, the boundaries of this obligation are drawn by the requirement to use the information obtained about the employee in accordance with the rules of good faith and the law and to keep such information confidential if the employee has a legitimate interest in doing so.
Article 419 of the Turkish Code of Obligations No. 6098 grants the employer the right to process the personal data of the employee only to the extent that it is necessary for the suitability of the employee for the job or for the performance of the employment contract.
Article 15 of the Occupational Health and Safety Law No. 6331 mandates that the data obtained as a result of health surveillance, taking into account the health and safety risks that employees will be exposed to in the workplace, should be kept confidential in terms of protecting the privacy and reputation of the employee.
WHAT ARE THE SCOPE AND LIMITATIONS OF THE EMPLOYER’S MANAGEMENT RIGHTS?
An employment contract is a contract in which the employee undertakes to work dependently and the employer undertakes to pay a wage, with the element of dependence obliging the employee to act in accordance with the employer’s orders and instructions. The hierarchical structure resulting from the order and instruction relationship naturally grants the employer a management right stemming from the employment relationship and related to the obligation to perform work. In this context, it is impossible to speak of an unlimited management right of the employer, who has a stronger authority compared to the employee, who is economically dependent and in a weaker position in terms of material conditions. The state, which is obliged to take the necessary measures to protect workers and the unemployed, support employment, create an economic environment conducive to preventing unemployment, and ensure labor peace to improve the standard of living and develop working life, must act in accordance with the principle of protecting the employee in the employment relationship. Based on this principle, the employer’s management right has a limited meaning, and the employer’s management authority is limited by sources such as the constitution, laws, regulations, collective/individual labor agreements, workplace regulations, and workplace practices to protect the employee. The most important protection mechanism that limits the employer’s management rights is the fundamental rights and freedoms of the employee, which provide constitutional assurance.
The right to privacy is one of the fundamental rights and freedoms that need to be protected and concerns the personal rights of the employee. Everyone has the right to demand respect for their private and family life and the protection of their personal data. This right includes being informed about personal data related to oneself, accessing this data, requesting their correction or deletion, and learning whether they are used for their purposes.
Given the transformations brought about by technological developments, it is an undeniable fact that interference with privacy has become quite easy and widespread in all areas of life. Considering the reflection of the current situation on the employment relationship, it can be said that employers frequently use infrastructural facilities for monitoring and tracking activities through phone calls, internet history, email contents, vehicle records, surveillance recordings, or recognition systems applied for entrance and exit control. These facilities lead to access and processing of employees’ personal data, making it necessary to refer to regulations to prevent violations in these areas and to ensure that the boundaries of the management right are not exceeded.
PRINCIPLES GOVERNING THE PROCESSING OF THE EMPLOYEE’S PERSONAL DATA UNDER THE KVKK
The KVKK binds the data controller to certain principles in carrying out data processing activities. While conducting the processing of the employee’s personal data, the employer must comply with the following principles and requirements:
Data processing activities must be carried out in accordance with the law and the rule of good faith.
The employer is obliged to act like a reasonable, accurate, and honest person while processing the employee’s personal data in compliance with the laws and all other regulations.
Personal data must be accurate and kept up-to-date when necessary.
This principle imposes on the employer the obligation to conduct audits to ensure that the personal data of the employee is processed accurately and, when necessary, to create a data policy.
Data must be processed for specific, explicit, and legitimate purposes.
The employer can process the personal data of the employee for clearly defined data purposes that can be clearly perceived by the employee with explicit and understandable reasons.
Personal data must be processed in connection with, limited to, and proportionate to the purposes for which they are processed.
The employer should conduct data processing activities to the extent appropriate to the requirements of the employment relationship and the nature of the work.
Personal data must be retained for the period stipulated in the relevant legislation or as required for the purposes for which they are processed.
The retention period should be determined considering legislative provisions, the nature of the data, responsibility provisions, and the legitimate interests of the employee.
EMPLOYER’S OBLIGATIONS IN PROCESSING PERSONAL DATA
The data controller, who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system, corresponds to the employer in the employment relationship.
Registration in the Data Controllers Registry
Natural and legal persons processing personal data must register with the Data Controllers Registry before starting data processing. However, considering objective criteria to be determined by the Board, such as the nature and number of personal data processed, the origin of data processing from the law, or the transfer of data to third parties, an exception to the obligation to register with the Data Controllers Registry may be made by the Board. Data controllers required to register with the Data Controllers Registry are obliged to prepare a personal data retention and destruction policy in accordance with the personal data processing inventory. It is necessary to detail the data processing activities carried out by data controllers based on their business processes by relating the purposes of data processing, data categories, groups of recipients, and the data subjects, and to explain the maximum period required for the purposes for which personal data are processed, the personal data foreseen to be transferred to foreign countries, and the measures taken regarding data security.
Obligation to Inform
Subsequently, the employer must fulfill the obligation to inform the employee about the identity of the data controller and its representative, if any, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data may be transferred, the method and legal reason for collecting personal data, and the employee’s right to learn whether personal data is processed, to request information if personal data has been processed, to learn the purpose of processing and whether it is used in accordance with its purpose, to know the third parties to whom personal data is transferred domestically or abroad, to request the correction of personal data in case of incomplete or incorrect processing, to request the deletion or destruction of personal data, to request notification of the correction, deletion, or destruction of personal data to third parties to whom personal data has been transferred, to object to the emergence of a result against the person by analyzing the processed data exclusively through automated systems, and to demand compensation for the damage in case of loss due to unlawful processing of personal data.
Obligation to Obtain Explicit Consent
Consent, which is a declaration of will, becomes valid if the person is aware of and voluntarily decides on the action taken. In situations where the parties are not in equal positions or one party has influence over the other, it is necessary to carefully evaluate whether consent is given freely. Especially in the employee
-employer relationship, it cannot be accepted that consent is given freely in cases where the employee is not effectively provided with the opportunity to refuse consent or where refusal to consent would likely result in a negative outcome for the employee. Within the framework of the KVKK, explicit consent means that the person consents to the processing of their data either voluntarily or at the request of the other party. Another importance of explicit consent is that it guides the data processor on the act to be performed. With the statement of explicit consent, the person notifies the data controller of the decision they have made regarding their legal value. Explicit consent will also enable the relevant person to determine the limits, scope, method, and duration of the data processing they permit.
Obligation to Take Technical and Administrative Measures
As a data controller, the employer is obliged to take all necessary technical and administrative measures to ensure an appropriate level of security to prevent the unlawful processing of personal data, unlawful access to personal data, and to ensure the protection of personal data.
RESULTS OF UNLAWFUL PROCESSING OF PERSONAL DATA UNDER PRIVATE LAW
The unlawful processing of the employee’s personal data has legal, criminal, and administrative consequences for the parties of the employment relationship.
1. Legal Consequences
– In case of damage due to unlawful processing of personal data, the right to demand compensation for the damage
– The right of those whose personal rights are violated to claim compensation according to general provisions
– The right to request the judge to protect against those who attack, to prevent the danger of attack, to stop the ongoing attack, and to determine the unlawfulness of the attack, even if it has ended but its effects continue
– The right to request correction or notification or publication of the decision to third parties
2. Criminal Consequences
– Those who unlawfully record personal data shall be sentenced to imprisonment from one to three years.
– Those who unlawfully give, disseminate, or obtain personal data of another person shall be sentenced to imprisonment from two to four years.
– Those who are obliged to destroy the data within the period specified by the laws but fail to do so shall be sentenced to imprisonment from one to two years.
3. Administrative Consequences
– An administrative fine ranging from 5,000 to 100,000 Turkish Liras shall be imposed on those who fail to fulfill the obligation to inform.
– An administrative fine ranging from 15,000 to 1,000,000 Turkish Liras shall be imposed on those who fail to fulfill the obligations related to data security.
– An administrative fine ranging from 25,000 to 1,000,000 Turkish Liras shall be imposed on those who fail to comply with the decisions of the Board.
– An administrative fine ranging from 20,000 to 1,000,000 Turkish Liras shall be imposed on those who act contrary to the obligation to register and notify the Data Controllers Registry.
IMPLEMENTATIONS WITHIN THE SCOPE OF THE EMPLOYER’S MANAGEMENT RIGHTS AND EVALUATION OF THESE IMPLEMENTATIONS UNDER THE KVKK
1. Monitoring Phone Calls
If the employer has provided the employee with a phone, the employee should use this phone for its intended purpose. It may be acceptable for the employer to monitor whether the phone is being used for inappropriate purposes, based on the legitimate interest of the employer. However, the employer cannot make any request that would infringe on the employee’s freedom of communication, such as listening to phone calls, and can only monitor call history and call durations. In conclusion, everyone has the right to freedom of communication. The confidentiality of communication is essential. Communication cannot be obstructed and its confidentiality cannot be violated, except by a judge’s decision duly issued for reasons such as national security, public order, prevention of crime, protection of public health and public morality, or the rights and freedoms of others, or in cases where delay is detrimental, by the written order of the authorized authority under the law.
2. Monitoring Internet Traffic
It is possible to say that the employer has the authority to monitor internet traffic to prevent internet usage by employees that disrupts the fulfillment of the obligation to work during working hours, prevent access to sites that pose legal risks, and prevent violations of trade secrets, including production, operation, or customer information. If the employer has not expressed an intention that internet usage in the workplace can be for private purposes, it will be assumed that the purpose of usage is solely related to the performance of work. In both cases, the information that all activities carried out over the internet are being monitored by the employer must be shared with the employee. However, it is worth mentioning that internet traffic monitoring should be resorted to as a last resort, and technical measures such as access restrictions should be taken first to prevent the aforementioned risks.
There are two important points in monitoring correspondence through an email address allocated by the employer for the performance of work: It must be clearly communicated to the employee that the email address allocated is limited solely to the performance of work and that the employee is informed that the correspondence is being monitored. Subsequently, it must be determined whether the existing email is related to the performance of work. There is no obstacle to checking whether the headings and recipients are related to the performance of work.
3. Monitoring by Video Camera
For the employer to monitor the employee by camera, there must first be a reasonable, legitimate, and acceptable justification. The aim of pressuring the employee to perform their duties does not constitute a justification for this action. It may be resorted to with a device that does not have a voice recording feature for the implementation of occupational health and safety measures where no other measures can be taken, and it can also be used as a measure against theft that cannot be prevented, provided the employee is informed.
4. Vehicle Location Tracking
If mobile work or transportation activities are carried out due to the nature of the work or if a vehicle is allocated for the employee’s use, it may be a method that can be used for safety or control purposes, but the employee must be informed about the implementation. The determination of the time during which the control authority exists depends on whether the vehicle is allocated solely for the performance of work or if there is permission for private use. If it is only for the performance of work, there is control authority even outside working hours, whereas if there is permission for private use, control is limited to working hours.
5. Monitoring Entry and Exit to Work
Among the frequently used methods to ensure attendance controls are signature control, card access systems, retina scanning, facial recognition systems, and fingerprint methods. Each of these methods must be proportionate to the security level required by the activity being carried out. If a more reasonable solution can be used to ensure entry and exit control, it should be preferred. Otherwise, identity, signature control, and card access practices, which can be considered proportional, should be preferred. Access to the employee’s genetic data requires a very high level of security due to the nature of the work.
For more help or consultation on this topic, please contact us.