Single Blog Title

This is a single blog caption

Protection of Employee Personal Data: GDPR Obligations for Employers

Entrance

Employers process a large amount of personal data belonging to employees from the establishment to the termination of the employment relationship. This includes resumes obtained during job applications, identity information, contact information, diplomas and certificates, references, criminal records, health reports, bank account information, social security records, payroll information, security camera footage, entry and exit records, performance evaluations, disciplinary files, workplace email correspondence, vehicle tracking data, and employee attendance records.

Protecting employees' personal data is not merely an administrative formality for employers. The Law No. 6698 on the Protection of Personal Data imposes significant obligations on employers as data controllers. Employers must process employee data lawfully, inform employees, ensure data security, avoid collecting unnecessary data, take stricter measures for sensitive personal data, and conduct data processing activities in a measured manner.

According to the KVKK (Law on Protection of Personal Data), personal data is any information relating to an identified or identifiable natural person. The processing of personal data is only possible if at least one of the processing conditions stipulated in Article 5 of the Law is met, such as explicit consent, explicit provision in the law, establishment or performance of a contract, legal obligation, establishment or protection of a right, or legitimate interest.

The fundamental issue in employer-employee relations is this: The employer has the right to manage, supervise, and organize the workplace; however, this right does not negate the employee's right to privacy and the protection of their personal data. Even when present at the workplace, the employee can demand respect for their private life, personality, and personal data. Therefore, each processing step involving employee data must be evaluated individually in terms of purpose, legal basis, proportionality, disclosure, retention period, and data security.

What is Employee Personal Data?

Employee personal data is any information relating to an employee within the scope of the employment relationship that directly or indirectly identifies the employee. Examples of employee personal data include name, surname, Turkish Republic identity number, address, telephone number, email address, date of birth, marital status, bank account information, salary information, social security registration number, employment entry and exit records, leave information, performance evaluations, disciplinary records, camera footage, workplace computer logs, and company vehicle GPS records.

In addition, some employee data is considered special categories of personal data. Health reports, disability information, records of work accidents and occupational diseases, periodic examination results, biometric data, information regarding criminal convictions and security measures, trade union membership, and data relating to religious beliefs are considered special categories of personal data. Because special categories of personal data could lead to discrimination or harm if learned, they are protected more strictly and can only be processed in the limited circumstances specified in the Law.

Therefore, it is incorrect for an employer to act on the assumption that "this is employee data, I can keep it in my workplace file." For each piece of data, the employer should ask the following questions: Why am I collecting this data? What legal basis do I have? Is this data truly necessary? Can I achieve the same purpose with less data? How long should I keep the data? Who will have access to it? Have I informed the employee?

What legal grounds does an employer have to process employee data?

Employers' processing of employee data is not always based on explicit consent. In fact, many data processing activities related to the employment relationship are based on legal grounds other than explicit consent. For example, an employer's processing of an employee's identity information, social security records, payroll information, and documents required in their personnel file is often based on a legal obligation, the performance of the employment contract, or reasons explicitly stipulated in the law.

Article 75 of the Labor Law No. 4857 stipulates that employers must maintain personnel files for each employee and keep records of the employee's identity information, as well as other documents and records required by relevant laws. The Personal Data Protection Authority's explanations regarding the conditions for processing personal data also cite, as an example, that employers can process employee identity data under Article 75 of the Labor Law, provided it is "explicitly provided for in the laws.".

In its decision numbered 2022/896, the Personal Data Protection Board also assessed that employers can process identity information in personnel files under Article 75 of the Labor Law on the condition of "explicitly provided for in the laws"; and other personal data that should be included in personnel files on the condition that "it is necessary for the data controller to fulfill its legal obligations".

However, this does not mean that an employer can collect any data they want about an employee. Collecting data that is not necessary for the personnel file, irrelevant to the nature of the job, excessive, or unnecessary may violate the proportionality and data minimization principles of the Personal Data Protection Law (KVKK). For example, requesting detailed information about all family members, health history, details about private life, or criminal records unrelated to the nature of the job also creates legal risks.

When is explicit consent valid in employer-employee relations?

Explicit consent is an employee's informed and free-willed approval on a specific matter. However, the validity of explicit consent in employer-employee relations is not always indisputable. An employee may feel compelled to consent out of fear of losing their job or experiencing negative treatment. Therefore, the element of free will in obtaining explicit consent from employees must be carefully considered.

In its decision numbered 2020/404, the Personal Data Protection Board examined the consent forms and explicit approval texts obtained from employees by employers; the practice of considering personnel files as incomplete if employees do not give their consent was evaluated in terms of the power balance in the employer-employee relationship. The decision also discussed the processing of data such as fingerprints, the duty to inform, and the legality of special categories of data.

Therefore, employers should not unnecessarily obtain explicit consent for data that may be processed within the scope of legal obligations or contractual performance. Explicit consent should only be used in specific data processing activities where it is genuinely needed. For example, sharing an employee's photograph on the company's social media accounts for promotional purposes, using employee data in marketing activities, or certain specific data processing activities for which there is no legal basis other than explicit consent may require it.

However, even with explicit consent, data processing must be proportionate, necessary, and appropriate to the purpose. An employer cannot process data without limit simply because an employee has given consent. Explicit consent does not override the general principles of the Personal Data Protection Law (KVKK).

How should an Employee Privacy Notice be prepared?

Employers are obligated to fulfill their duty to inform employees when processing their data. The information notice must clearly state the identity of the data controller, which personal data is processed and for what purposes, to whom and for what purpose the data may be transferred, the data collection method, the legal basis, and the employee's rights under the Personal Data Protection Law (KVKK).

Employee information notices should not be a generic, copy-pasted text. Human resources processes, payroll and accounting processes, social security and tax declarations, occupational health and safety, performance evaluation, security camera footage, attendance tracking, benefits, disciplinary processes, training activities, and employee termination procedures should all be considered separately.

For example, the following logic could be applied to an employee information notice: Your identity and contact information are processed for the purpose of establishing and executing the employment contract; based on the legal grounds of contract performance and fulfilling legal obligations. Your bank account information is processed for the purpose of making wage payments; based on the legal grounds of contract performance. Your health information is processed for the purpose of fulfilling occupational health and safety obligations; within the scope of relevant legislation and special categories of personal data processing conditions.

The burden of proof that the obligation to inform has been fulfilled rests with the employer. In the Board's decision numbered 2022/896, the employer's inability to provide supporting documentation to substantiate their claim of fulfilling the obligation verbally was also considered. Therefore, it is important for employers to make employee information notices verifiable through signatures, electronic approvals, personnel portal records, or similar methods.

Personnel File and Employee Data

The employer is obligated to maintain a personnel file for each employee. This file may contain the employee's identification information, employment contract, social security declarations, payroll records, leave documents, training records, occupational health and safety documents, necessary documents, and records required by legislation. However, a personnel file is not an archive where unlimited information about an employee can be stored.

Data contained in personnel files must be used in accordance with the principles of honesty and the law, and information that the employee has a legitimate interest in keeping confidential should not be disclosed. In its decision numbered 2022/896, the Personal Data Protection Board explicitly reiterated this obligation under Article 75 of the Labor Law and discussed the legal grounds on which an employer may process employee data within the scope of personnel files.

Employers must restrict access to personnel files. Allowing unauthorized employees outside of human resources, accounting, and management departments to access personnel files poses a serious data security risk. Physical files should be kept in locked cabinets or controlled archives; electronic files should be protected with authorization, passwords, log records, and access restrictions.

Data in personnel files may be retained for specific periods even after the employment relationship ends. However, the retention period must be determined separately for each piece of data. Labor law, social security, tax, compensation, workplace accident, and statute of limitations periods should be taken into account; data whose retention period has expired should be deleted, destroyed, or anonymized.

Processing Employee Health Data

Employee health data is considered special categories of personal data. This includes pre-employment health reports, periodic examination records, disability reports, disability information, pregnancy information, work accident records, occupational disease information, and workplace physician records.

Employers may process certain health data to fulfill their occupational health and safety obligations. However, this data processing activity should be limited to what is necessary for the job. For example, obtaining a fitness-for-work report may be necessary for a worker in a hazardous environment; however, requesting a detailed health history from an office worker that is unrelated to the nature of the job may be considered excessive.

Special categories of data may only be processed in the limited circumstances specified in the Law. If health data is processed within the scope of occupational health and safety, employment obligations, or relevant legislation, this must be clearly indicated in the data disclosure statement. Furthermore, stronger technical and administrative measures should be taken for special categories of data.

Disseminating health data in the workplace, sharing it unnecessarily with managers or other employees, circulating it in WhatsApp groups, or keeping it uncontrolled in personnel files can constitute a serious violation of the Turkish Personal Data Protection Law (KVKK). Employers should only share an employee's health information with those who need to know it for job purposes and only to the extent necessary.

Workplace Camera Recording and Employee Privacy

Workplace camera recording constitutes the processing of employee personal data. Employers may use cameras for legitimate purposes such as workplace safety, crime prevention, occupational health and safety, or facility security. However, the camera system should not lead to employees being under constant surveillance and their privacy being disproportionately violated.

In its 2026 announcement regarding the use of security cameras in workplaces, the Personal Data Protection Authority emphasized that the purpose of installing cameras must be clearly defined, avoiding abstract purposes such as "general control," "increasing discipline," or "continuous monitoring of employees." The Authority also explicitly stated that cameras should not be placed in private areas such as restrooms, changing rooms, prayer rooms, and休息 areas.

Proportionality is crucial in camera recording. Camera use is more easily justified in areas such as entry/exit points, storage areas, cash registers, or other areas posing security risks. Conversely, systems that closely monitor employees' desks, continuously record facial features, or provide unlimited surveillance of the entire workspace can create legal risks.

Camera systems must also fulfill lighting requirements. Visible camera warning signs must be present in the workplace; detailed camera lighting information must be accessible; and the purpose of camera recordings, retention period, access authorities, and employee rights must be clearly stated. Camera recordings should be stored for the shortest possible time and should only be accessible by authorized personnel. The institution states that retaining recordings for longer than necessary may constitute a violation of the Personal Data Protection Law (KVKK) and that an automatic data destruction mechanism should be in place.

Tracking Work Attendance with Biometric Data

One of the riskiest practices for employers is tracking attendance using biometric systems such as fingerprints, facial recognition, iris scans, retina scans, or palm prints. Because biometric data is considered sensitive personal data, it is subject to much stricter legal requirements.

In its announcement regarding the Personal Data Protection Board's principle decision dated April 29, 2026, numbered 2026/921, it was stated that the processing of biometric data for the purpose of tracking working hours does not meet any of the processing conditions stipulated in Article 6 of the Law; and that even with valid explicit consent, this processing does not meet the proportionality criterion. The Board explained that working hour tracking should be provided through alternative methods such as encrypted cards, PIN-based systems, traditional signature sheets, RFID/NFC cards, or manual entry under the supervision of an auditor, instead of biometric systems.

This decision is extremely important for employers. Taking an employee's fingerprint, registering their face in a recognition system, or processing iris data cannot be seen as a simple method of personnel tracking. If the same purpose can be achieved with less intrusive methods, the processing of biometric data can be considered disproportionate. Obtaining explicit consent does not completely eliminate this risk; because whether explicit consent in the employer-employee relationship is based on free will is also debatable.

Therefore, employers should conduct a thorough legal risk analysis before implementing biometric attendance tracking systems, review their existing systems, and switch to less intrusive alternative systems if possible.

Monitoring Work Email, Computer and Internet Usage

Employers may exercise a degree of control over computers, corporate email accounts, internet access, software systems, and company equipment provided to employees. The purpose of this control may be to protect company secrets, ensure information security, manage business processes, prevent unlawful use, or protect the employer's rights.

However, supervision is not unlimited. Employers cannot interfere excessively in employees' private lives. Corporate email and computer usage policies should be determined in advance and communicated to employees. Employees should know which systems can be monitored, whether personal use is prohibited, under what circumstances email content can be reviewed, and for what purpose log records are kept.

For example, if an employee uses company email to disclose company secrets to third parties, the employer may be able to conduct a limited investigation for the purpose of establishing, exercising, or protecting rights. However, it may be unlawful for the employer to constantly monitor all of the employee's private correspondence, attempt to access their personal accounts, or examine their private files purely out of curiosity.

In this area, employers need to prepare written information system usage policies, corporate email policies, and information security policies; inform employees with these documents; and conduct audits in a measured manner.

Vehicle Tracking System and Location Data

The use of GPS tracking systems in company vehicles is common, especially for field personnel, sales teams, technical service, logistics, and cargo processes. Location data can also be considered personal data. Therefore, a compliance analysis with the Turkish Personal Data Protection Law (KVKK) should be conducted when using vehicle tracking systems.

Employers may use vehicle tracking systems for purposes such as vehicle security, route planning, customer service, fuel monitoring, or work organization. However, the system should not become a tool for monitoring an employee's private life outside of working hours. If the vehicle assigned to the employee is also provided for private use, continued off-hours location tracking can constitute a serious privacy violation.

Employees working on vehicle tracking systems must be clearly informed; it must be stated what data is collected, for what purpose it is processed, who has access to it, how long the data is stored, and whether tracking is done outside of working hours. The employer's approach of "the vehicle belongs to the company, I can track it as I see fit" is not sufficient in terms of the Personal Data Protection Law (KVKK).

Data Security and Employer's Technical and Administrative Measures

Employers are obligated to take the necessary technical and administrative measures to protect employee data. Under Article 12 of the Personal Data Protection Law (KVKK), the data controller is responsible for preventing the unlawful processing of personal data, preventing unlawful access to personal data, and ensuring the preservation of personal data. The Authority states that the data controller must take all necessary technical and administrative measures to ensure an appropriate level of security.

Administrative measures that can be taken regarding employee data include the preparation of GDPR policies, the drafting of employee information texts, confidentiality agreements, authorization matrices, personnel training, disciplinary procedures, retention and destruction policies, and data breach response plans.

Technical measures include access authorization, strong password policies, two-factor authentication, encryption, log recording, backups, antivirus software, firewalls, data loss prevention systems, network security, cloud access controls, and restricting system access for former employees.

The employer is not entirely absolved of responsibility even if another company processes employee data on their behalf. If working with a payroll company, accountant, occupational health and safety firm, software provider, cloud service provider, security company, or human resources consultant, contracts containing data security provisions must be established with these parties, and data processing processes must be monitored. The institution states that the data controller is jointly responsible with other parties for taking necessary precautions when personal data is processed on their behalf.

Employee Rights under the Personal Data Protection Law

The employee is the data subject whose personal data is processed. Therefore, by contacting the employer, the employee can inquire whether their personal data is being processed, request information regarding this processing if it is, learn the purpose of the processing and whether it is being used appropriately, ask to whom the data has been transferred domestically or internationally, request the correction of incomplete or inaccurate data, request the deletion or destruction of data if the conditions are met, and request compensation for any damage suffered.

The employer must finalize the employee's GDPR application as soon as possible, and no later than thirty days. If the application is rejected, the response is deemed insufficient, or no response is given within the specified time, the employee may file a complaint with the Personal Data Protection Board within thirty days of learning of the data controller's response, and in any case within sixty days of the application date.

Therefore, employers need to seriously consider employee applications. An approach like "we don't respond because they are former employees" or "we keep whatever is in their personnel files" creates legal risks. Even if the employment relationship ends, former employees retain their rights under the Personal Data Protection Law regarding their personal data.

The Most Common GDPR Mistakes Employers Make

The most common mistake employers make is obtaining unnecessary and broad explicit consent from employees. Obtaining explicit consent for data that the employer may process under legal obligations can obscure the legal basis for data processing. Where explicit consent is required, the text must be specific, clear, and based on free will.

The second mistake is the general and inadequate preparation of the employee information document. Human resources processes, camera recordings, vehicle tracking systems, health data, and email monitoring should not be glossed over with vague expressions in the same document.

The third mistake is allowing everyone access to the data in personnel files. Employee files, payroll information, medical reports, and disciplinary records should only be viewable by those who need to access them for job purposes.

The fourth mistake is the excessive use of cameras and surveillance systems. Continuous monitoring of employees, audio recording, placing cameras in private areas, or off-hours GPS tracking pose serious GDPR risks.

The fifth mistake is processing biometric data for convenience. Under the Board's approach dated 2026, systems like fingerprint and facial recognition for attendance tracking pose serious legal risks.

The sixth mistake is retaining former employees' data indefinitely. Employers should define retention periods and delete, destroy, or anonymize the data after that period.

The seventh mistake is failing to respond to employee applications in a timely manner. The lack of an internal process for GDPR applications increases the risk of complaints to the Board and administrative sanctions.

Conclusion

The protection of employees' personal data is one of the areas of GDPR compliance that employers must handle with the utmost care. Processing employee data is often necessary for employers due to the nature of the employment relationship; however, this necessity does not grant the employer unlimited data processing authority. Every data processing activity must be based on a specific purpose, a valid legal basis, and the principle of proportionality.

Employers must clearly and understandably inform employees, maintain personnel files in accordance with the law, take stricter measures regarding health and biometric data, use cameras and personnel tracking systems judiciously, limit email and computer monitoring with predetermined policies, and implement technical and administrative measures to ensure data security.

In particular, the Board's announcements dated 2026 indicate that employers need to be more cautious regarding the use of cameras in the workplace and biometric timekeeping. The need for security in the workplace may be legitimate; however, this need does not justify the continuous and excessive monitoring of employees. Biometric systems such as fingerprint or facial recognition cannot be preferred simply because they are practical.

In conclusion, a proper GDPR compliance process for employers involves creating an employee data inventory, preparing employee information texts, separating processes requiring explicit consent, securing personnel files and health data, reviewing camera and surveillance systems, determining data retention and destruction periods, and establishing a mechanism to respond to employee requests. When this process is carried out correctly, it reduces the employer's risk of legal and administrative fines, and effectively protects the privacy and personal data of employees.

Leave a Reply

Call Now Button