Recent Developments on Data Protection Practices in the Workplace

The decision of the Turkish Data Protection Authority/Board (the “DPA”) dated 29 June 2026 and numbered 2026/921 (the “Decision”) regarding the use of biometric identification systems for monitoring employees’ working hours was published in the Official Gazette dated 2 June 2026 and numbered 33268. On 8 June 2026, the DPA also published on its website a public announcement setting out the issues to be taken into consideration in relation to the use of CCTV systems in workplaces.

DECISION ON PROCESSING BIOMETRIC DATA FOR WORKING TIME MONITORING

In the Decision, the DPA notes that, with the aim of digitalising working time monitoring and enhancing security, organisations are increasingly resorting to biometric identification systems such as fingerprint, facial recognition and iris/retina scanning, and that the DPA has received a significant number of notices and complaints in this respect. It underlines that biometric data are extremely sensitive in nature and that, due to the structural imbalance of power in the employer–employee relationship, data processing activities in this area require special attention. The key points of the Decision can be summarised as follows:

• Biometric data processing activities must comply not only with valid legal grounds, but also with the principles of proportionality, necessity and data minimisation.
• Although the legislation contains provisions imposing on employers an obligation to monitor and document working time, there is no statutory provision that requires or foresees the use of biometric identification systems in order to do this. Therefore, the processing of biometric data cannot be legitimised on the basis of the “explicitly provided for by law” condition set out in Article 6 of the Personal Data Protection Law No 6698 (the “PDPL“). Accordingly, the processing of biometric data for the purpose of working time monitoring currently entails a risk of unlawfulness.
• In practice, since the other processing conditions set out in the third paragraph of Article 6 of the PDPL cannot be met for working time monitoring, biometric data processing is mostly based on “explicit consent”. However, due to the imbalance of power in the employer–employee relationship, the lack of an effective opportunity not to give consent or to withdraw consent, and the potential adverse consequences of an employee refusing consent, it cannot be said that the employee has a genuine choice. In such circumstances, explicit consent cannot be based on free will, nor to constitute sufficient legal basis on its own.
• The principle of proportionality plays a decisive role when assessing personal data processing activities. In this context, where less intrusive alternative methods are available (such as password-protected card or PIN-based systems, traditional signature and paper-based attendance sheets, RFID/NFC ID cards or manual entry under supervisor control, etc.), the processing of biometric data for working time monitoring purposes does not meet the proportionality requirement, even where the data subject’s explicit consent is obtained.

In short, the DPA has decided that:
(i) The processing of biometric data for the purpose of working time monitoring is carried out without relying on any of the processing conditions set out in Article 6 of the PDPL,
(ii) Even where valid explicit consent is obtained, such processing activities do not satisfy the proportionality criterion,
(iii) Working time monitoring must be ensured through less intrusive alternative methods that do not require the collection of biometric data instead of biometric identification systems,
(iv) These matters fall within the scope of the administrative and technical measures to be taken by data controllers pursuant to Article 12 of the PDPL, meaning that non-compliance will be subject to sanctions under Article 18 of the PDPL.

ANNOUNCEMENT ON THE USE OF CCTV IN WORKPLACES

Considering the increasing number of complaints regarding the unlawful or improper use of CCTV in workplaces, the DPA published a new public announcement on 8 June 2026. The announcement particularly criticises the monitoring of employees’ break areas, the coverage of all areas of the workplace by cameras for the purpose of “general control”, and the retention of recordings for longer than necessary. The main points highlighted in the announcement can be summarised as follows:

• Although employers have obligations under Article 417 of the Turkish Code of Obligations No 6098 and the Occupational Health and Safety Law No 6331 to protect the personality of employees and to ensure occupational health and safety, it is emphasised that these obligations cannot be fulfilled through the continuous and disproportionate monitoring of employees, and that a clear distinction must be drawn between surveillance for security purposes and monitoring for disciplinary or performance control.
• Before installing CCTV in the workplace, the purpose must be determined in a specific and clear manner. This purpose must not subsequently be expanded to include additional objectives such as monitoring employees’ attendance or performance, and, in line with the principle of data minimisation. The least amount of data, the narrowest field of view and the most limited coverage necessary to achieve the purpose must be chosen. It is further stated that abstract monitoring objectives such as checking whether employees work efficiently, increasing discipline or ensuring “general control” will not be accepted as legitimate purposes.
• Within the framework of the principle of proportionality, it is noted that the use of cameras at entry and exit points, warehouses, cash desks and other high-risk security areas can be more easily justified. On the contrary, no cameras should be installed in private areas such as toilets, changing rooms, prayer rooms and break areas, and that wide-angle or face-focused recordings covering all areas of the workplace, as well as intensive surveillance practices that eliminate employees’ reasonable expectation of privacy, will be considered unlawful.
• Audio recording is considered a much more serious interference compared to video recording and may only be envisaged in highly exceptional cases where its necessity can be demonstrated specifically. It is also emphasised that, in publicly accessible areas of the workplace, the impact of camera recordings on individuals who are not subject to surveillance and monitoring, particularly vulnerable groups such as children, must be specifically assessed.
• Data subjects, including employees and other individuals, must be informed about CCTV monitoring/recording; retention periods for recordings must be limited to the shortest period necessary in connection with the purpose; automatic deletion or anonymisation mechanisms must be implemented; an authorisation matrix and procedures must be established to ensure that only authorised persons have access; and recordings must not be shared with third parties without authorisation.
• In the event of non-compliance with these obligations, sanctions – including administrative fines – may be imposed under Article 18 of the DP Law.

CONCLUSION

In conclusion, both the Decision and the public announcement call on employers to reassess their workplace surveillance and working time monitoring practices and to ensure strict compliance with the general principles of the PDPL.

Although employers are recognised as having a managerial prerogative to set workplace rules within the framework of labour law principles, the existence of a hierarchical relationship between the parties and the questionable nature of the employee’s consent to such measures mean that imposing disciplinary sanctions on the basis of findings obtained through “continuous and disproportionate surveillance” will not be considered lawful under either data protection legislation or labour law.

In particular, recordings made in areas where employees have a reasonable expectation of privacy, or surveillance activities carried out without prior, duly provided information, may give rise to allegations that the employer has exceeded the limits of its managerial prerogative.

Accordingly, it is important for employers not only to ensure compliance with the PDPL, but also to reassess their monitoring and time-tracking systems in light of the delicate balance between the employer’s managerial rights and the employee’s personality rights, and to update their internal policies and procedures where necessary.

In this context, less intrusive methods should be preferred over biometric working time monitoring, and CCTV in workplaces should be used only for legitimate, clearly defined and limited purposes. Otherwise, significant administrative sanctions may arise.