Borders and Principles of Processing Employee Data in Turkey in Light of DPA and Court Decisions


Click here to watch the webinar on this topic.

Private life has been protected under the Turkish Constitution before the enactment of Data Protection Law came into force in 2016 in Turkey. Disputes related to monitoring employee personal data in the work place have been subject to court decisions based on the constitutional provisions mostly and also several decisions have been taken by the Data Protection Authority (“DPA”) in this respect.

Legal grounds for data processing in the employment context

Turkish Data Protection Law does not provide specific rules in the employment context. There are several circumstances where employee data can be processed, whether it be on the basis of the consent of the employee, or whether made for the purposes of the recruitment, for the performance of the contract, for the employer to fulfil obligations laid down by law, for management and planning of work, to ensure health and safety at work, and for the purposes of exercising and using rights and benefits related to employment, or for the purpose of the termination of the employment.

Unlike General Data Protection Regulation (“GDPR”) (Article 9/2/b) sensitive data is processed under very limited conditions in Turkish Data Protection Law and especially in terms of processing health data or sexual orientation, processing is only possible based on obtaining an explicit consent and in very limited cases. Whereas, sensitive data other than health data and sexual orientation, can be processed only when it is required by law. So having these in mind, following the consent mechanism is inevitable under Turkish data protection law. Consent must be freely given and prior to giving consent, the data subject must be informed. It must be distinguishable from other matters. Further it is the data controllers’ liability to demonstrate that the data subject has been informed and given its consent.

The key obligation of data controller is to inform data subjects

Under the Data Protection Law, like in the GDPR, controllers must inform data subjects about data processing activities.

Therefore, to ensure compliance with data privacy laws in the workplace, employers must ensure having certain provisions in the employment agreement, in any case, however privacy notice must be prepared separately and employees must be informed of data processing procedures in detail with a separate document.

Most debated issues in Turkey: processing biometric data and monitoring

Most debated issues in Turkey with respect to privacy in the employment context relate to processing of biometric data and employee monitoring which may include in-vehicle monitoring, and systematic or on-spot monitoring of corporate emails.

In terms of processing biometric data Turkish DPA issued a decision (which was about a gym) and in short processing biometric data of gym members during their entrance was not found lawful even if the gym had taken explicit consent of the members and also provided them with the option to enter the gym with a pass card alternatively. The Turkish DPA concluded that processing biometric data is not proportionate with the purpose of the processing and in cases where there are other less intrusive tools to reach the purpose there is no necessity to process biometric data. The said decision of the Turkish DPA has also its effects in the workplaces where companies using for example retina scan technologies for office building entrances. We believe that the decision of the DPA must not be interpreted as if processing biometric data is prohibited for all workplaces, it can still be processed by obtaining explicit consent of the data subjects where there is a necessity or to ensure high level of security. 

In vehicle monitoring is also applicable in work places. When the vehicle is linked to a specific employee then personal data will be processed through the in vehicle monitoring systems.  There must be a necessity for the specific position of the employee where employer is required to monitor his location during the working hours to audit the activities or time spent out of the office. However such an application again must be proportionate with the purpose of the processing. Further, if private use of the vehicle is also allowed, employees’ consent must be obtained or in vehicle monitoring hours must be restricted if possible. The employee must be informed of in vehicle monitoring system beforehand. Proportionality is the key element to evaluate. Because the data controller will most probably rely on legitimate interest legal ground while implementing in monitoring and balance between the interest of the employer and the employees’ rights and freedom must be diligently evaluated.

Monitoring corporate emails (whether it be systematic or on spot) is exposed to many risks from privacy law perspective.  There are some DPA decisions as well as court decisions in this respect.

Employers collect corporate records, back up emails to ensure the security of the system or to be able to investigate any allegation of corruption etc. In principle monitoring is not prevented by laws, however it must be justified, necessary and proportionate, as always!

In its decision dated January 2020, the Turkish DPA concluded that the data controller (employer) that has monitored employee emails has processed personal data to exercise its legal rights, therefore processing was made lawfully.

Courts’ Approach Employee Data Processing

Before the enactment of the Data Protection Law, Supreme Court had already accepted that employers can monitor its employees’ email correspondences as long as the employer’s computer, equipment are used. 

In April 2016, just before the enactment of the Data Protection Act, Constitutional Court granted a decision for monitoring employee’s corporate e-mails. In this decision, it was said that the employees were informed with their internal regulations that their corporate e-mail accounts cannot be used for private use, and the employer has right to monitor those correspondences. 

The Constitutional Court decided that there is no violation of the privacy right and privacy of communication, as the employer had already made notifications and warnings to the employees for the monitor of their email correspondences. Even before the enactment of the Data Protection Law, the Constitutional Court mentioned the importance of informing obligation. 

After, in line with the Data Protection Law and the decision of the Constitutional Court, in May 2019, the Supreme Court decided that within the scope of employer’s right to manage, employers can monitor its employee’s electronic communications. However, to do so, the employees must be reasonable informed by their employers about monitoring of correspondence. 

The Constitutional Court also granted two recent decisions on monitoring employee’s corporate emails. In October 2020, in the case where the applicant was a lawyer who was an employee of a law firm, it is concluded that the employer had not duly informed employee about it monitoring activities and principle of proportionality has been breached by the employer by examining correspondences with third parties, as the inspection that took place was not limited to the allegations in question.

In January 2021, the Constitutional Court granted another decision for monitoring of corporate emails of the employees. The Constitutional Court found that there had been no violation of the rights of personal data protection and the freedom of communication. The Constitutional Court further stated that the employee’s employment contract stipulated that the employee can use corporate emails only for business use; and the bank management could carry out an inspection at any time without prior notification. Therefore, the Constitutional Court ruled that the employer had fulfilled the explicit information requirement and the employee had consented to the inspection by signing the employment contract. Constitutional Court ruled that the employer had conducted an inspection limited to the purpose of processing and used the collected data in compliance with the purpose.

Conclusion

In sum, the Turkish DPA and the courts in Turkey have similar approach in evaluating employee data processing disputes,  and they all refer to the fundamental principles of data processing as; principle of necessity, principle of purpose specification, principle of transparency, principle of legitimacy and principle of proportionality in case of processing employee data in the workplace. Informing employees beforehand about data processing activities is of the essence which may affect the litigation strategies of parties in the future.

 

 

First published by ILO - Employment & Benefits Newsletter, in 14.04.2021

Find more insights

Share