In the decision of the Constitutional Court with the application number 2018/11988 and dated 10.03.2022, which was published at the Official Gazette dated 19.04.2022, it was resolved that tracking of the working hours of a public institution employee with the fingerprint registry system violates the right to request for protection of personal data within the scope of the right to respect private life.

First of all, we would like to indicate that although it is emphasized in the Constitutional Court decision that there is no legal regulation regarding the tracking of the working hours of public institution employee, there is no explicit legal regulation also for the private legal entities that allows the processing of sensitive data of employees on tracking of working hours without their explicit consent. Therefore, we are of the opinion that this Constitutional Court decision shall be binding upon private legal entities as well.

In the decision of the Constitutional Court, it is stated that in cases where;

(i) The employee does not consent to the processing of his/her sensitive data,

(ii) There is no regulation in the legislation that allows the processing of personal data without explicit consent,

it may be accepted that the right to request for protection of personal data within the scope of the right to respect private life, which is assured in Article 20 of the Constitution is violated.

At the same time, we would like to remind that the above situation will also be contrary to the Law on Protection of Personal Data (“Law”), although it is not specified in the decision of the Constitutional Court.

In the aforementioned decision, the Constitutional Court also mentions the following issues:

  • Restrictions on fundamental rights and freedoms must comply with the criteria of being regulated by law, having a legitimate purpose, not contradicting the requirements of the democratic social order and the principle of proportionality, as stipulated in Article 13 of the Constitution.
  • If the employee does not give explicit consent to the processing of the biometric data by the public institution employer, it is obvious that it can be processed without explicit consent within the scope of the exceptions stated under the Law. In addition, it is reminded that this processing must be based on a legitimate purpose, following the requirements of a democratic society and must be proportionate.
  • In cases where the principles and procedures for processing of the employee’s sensitive data are regulated by the law, these data may be processed according to the provision of law without consent. However, the law must be of a quality that will determine the main principles related to the subject containing the restriction of the fundamental rights and freedoms of the employee.

In this context, the law and the legislation based on the relevant law are expected to determine especially the principles regarding the scope and protection of the processing of personal data. The law must also include clear and detailed rules that will provide to have sufficient assurance against the excess of power and arbitrariness of its interlocutors regarding the methods related to period of storage, accessing by third parties, using and destruction of data.

  • To speak of the presence of the explicit consent within the context of the Law, it is required that the employee must be previously informed satisfyingly at least about the scope, purpose, limitations and consequences of processing of personal data.
  • It was also found out that regulations regarding the determination of working hours and starting and ending of daily working hours of public employees exist; however, there is no clear regulation regarding the monitoring of the employee’s attendance to work and allowing the processing of sensitive personal data for this purpose.

For these reasons, since the employee has not provided an explicit consent to processing of sensitive personal data in the concrete case, it was decided that it does not fulfill the lawfulness condition of data processing and it was decided that the right to request for protection of personal data within the scope of the right to respect private life as assured in Article 20 of the Constitution is violated.

You can find below the press release of the Constitutional Court about the subject (in Turkish):

https://www.anayasa.gov.tr/tr/haberler/bireysel-basvuru-basin-duyurulari/parmak-izi-kayit-sistemiyle-mesai-takibi-nedeniyle-kisisel-verilerin-korunmasini-isteme-hakkinin-ihlal-edilmesi/

Batuhan Şahmay
Özlem Özdemir Yılmaz
Senior Associate | ozlem.ozdemir@bener.com
Behiç Ateş Gülenç
Associate | ates.gulenc@bener.com