The concept of personal data is a concept that is becoming more and more integrated into our lives every day. In fact, we share our personal data with other people through people we have been in contact within daily life for a long time, workplaces, companies, hospitals, schools, websites we visit, applications we download, and memberships we make to them or social media channels. Various people and organizations have information about our personal data, which we share at our own discretion and which are accessed outside our knowledge, and sometimes store, transfer or use this information to others for various purposes. Personal data law is a relatively new branch of law that forms the legal basis of these relations and gives them a legal dimension.
Personal data law was raised for the first time in our country with the entry into force of the Law on the Protection of Personal Data No. 6698, and then new regulations were introduced in this area with the regulations issued in connection with this Law. The entry into force of these regulations has also given a new dimension to employee-employer relations and introduced new obligations from the point of view of employers. It is very important to determine the responsibilities of the employee or institutions within the scope of KVKK and to carry out regulatory compliance studies, otherwise it will be inevitable to face criminal sanctions and various disputes will arise.
1. The Concept of Personal Data
According to Law No. 6698 on the Protection of Personal Data, all kinds of related data belonging to a real person are identified or can be identified. Based on the definition in the law, it is not immediately clear what personal data is. It is also not individually determined by counting in the Law which information belonging to the person is personal data. The main thing is whether there is a feature of this data that distinguishes a person from other people. In each concrete case, one data can be used alone or in combination with other data to check whether it indicates a certain real person. An example of personal data is a person’s name, surname and other identification information, photo, voice recording, criminal record, IP address, family characteristics, ethnicity, political and philosophical views, profession.
Personal data is necessarily information belonging to a real person, that is, an individual. For example, in this context, it is clear that information belonging to companies and other organizations that qualify as legal entities is not personal data.
Personal data is also subjected to a sub-distinction in the form of personal data of a special nature, and such information is more strictly protected. Because this kind of data is the kind of data that can cause discrimination against people. It is not possible to increase the number of these because the law determines which ones have special qualified personal data. Personal data of a special nature in accordance with the law; “persons race, ethnic origin, political opinion, philosophical belief, religion and sect, or other beliefs, costume and clothing, association or trade union membership, health, sexual life, criminal convictions and security measures, biometric and genetic data..”
A person’s health and sex life data in personal data of a special nature have a different place. This difference arises from the conditions under which data can be processed by the data controller or data processors. Personal data of special nature can only be processed with the explicit consent of the related person or in cases shown in Law. Personal data on health and sex life can only be processed “to protect public health, preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing, persons or authorized institutions and organizations under the obligation to keep secrets.
2. Concepts of Data Controller and Data Processor
The data controller may be a natural or legal person. They are the person who determines the purposes and means of data processing and is responsible for the establishment and management of the data recording system. A data processor is a natural or legal person who processes data on behalf of him, according to the instructions given by him or according to the contractual relationship between them, with the authority granted by the data controller.
Market research companies, couriers, call center companies that provide services from outside are data processors.
It is sometimes difficult to distinguish these two concepts from each other. These two adjectives can also be united in the same person. For example, a company can be both a data controller and a data processor. An accounting company has the title of data controller for the data of its employees, and data processor when storing the data of companies that are its customers.
Again, since the data controller must be a legal entity or an individual, it is not possible for units that do not have a legal entity within the company to be data controllers. Here, the data controller is a corporate legal entity, and if there are natural persons processing data on behalf of the company, they can only be positioned as data processors.
In the sub-employer-principal employer relationship, there may be situations where both the sub-employer and the main employer are responsible for data regarding the employees of the main employer. If the main employer determines the purposes and means of data processing in relation to these employees, the main employer also has the title of data controller. However, this is not an absolute rule, and there may also be a data processor-data dec relationship between them. For accurate detection, it is necessary to look at the relationship between the processing of data.
3. Personal Data of the Employee
The field of protection of personal data has a close relationship and interaction with labor law. Since the information belonging to the workers must be stored in the employee personal files by the employers, the employer is responsible for the data related to the employee data. Personal data belonging to employees is all kinds of information stored on a computer environment or in employee personal files, covering the private and professional life of the employee, related to the employee, and making them specific. In this context, for example, the worker’s address, phone number, trade union activities, Performance Reports, health information, e-mail correspondence, ethnic origin, religion, nationality, and marital status, are examples of personal data.
4. The Employer’s Responsibility for the Employee’s Personal Data
Protection of personal data of employees is also regulated by the provision of Article 75 of the Labor Code. According to the article in question, “The employer organizes a personal file for each employee they employs. In this file, the employer is obliged to store all kinds of documents and records that he has to organize in accordance with this Law and other laws, as well as the employee’s identity information, and to show them to the authorized officers and authorities at any time. The employer is obliged to use the information obtained about the employee in accordance with the rules of honesty and the law and not to disclose the information that the employee has a justified interest in remaining confidential.”
Employers are obliged to follow certain rules when processing, storing, and using this information belonging to employees, and transferring it to others upcountry and abroad. If the employer does not comply with these rules in the capacity of data officer, they will face criminal sanctions. Below, the employer’s responsibilities regarding the employee’s personal data as a data officer are stated one by one.
4.1. Remain Limited to the Purposes of Use
The employer has the right to request and register only such information of the employee as his job description, experience necessary for the establishment, maintenance of an employment relationship and the performance of work, professional competence, educational status.
We often encounter that employers request employee data that has nothing to do with the employment relationship and exceeds the limits of the employee-employer relationship. However, this is a behavior that requires the responsibility of the employer and has sanctions. For example, asking a female employee if she is married and if she is thinking of children during recruitment is both a discriminatory practice that is contrary to the principle of equality and a problematic behavior within the scope of KVKK. Such a question can be asked only if the nature of the work requires it. For example, it can be considered as a question that can be asked from the minister that the worker is not harmed when hiring a radiology technician. In the same way, it is acceptable if it is asked in terms of being the basis for payments to be made due to the Income Tax Law.
Again, requesting a criminal record from an employee candidate is also not a type of data that an employer can legally request, and it has nothing to do with an employment relationship. However, it may be considered possible to request and process this type of data in relation to jobs that are specific to this issue, such as hiring a security guard.
4.2. The Obligation of Clarifying the Worker
The employer is obliged to inform the employee for what purpose the employee has obtained the information of the candidate for employment, where the data is stored, by whom this data can be accessed, to whom the data can be transferred (Article 10 of the KVKK). This obligation applies to the employer both to his current employees and to the persons applying for a job. The obligation to acknowledge must necessarily be fulfilled before the data is processed.
In the same way, if the employee requests, the employer must share information with the employee, such as who his data is transferred to, for what purpose it is used.
4.3. The Obligation to Comply with the Principle of Confidentiality and Obtain Explicit Consent
In order for the employee’s personal data to be processed, used and transferred to others by the employer, the explicit consent of the employee must be obtained, with exceptions in the Law. A Communique has been published on the Procedures and Principles to be followed in Fulfilling the Clarifying Obligation published in the Official Gazette dated March 10, 2018, and numbered 30356 on how employers will fulfill this obligation. In accordance with Article 5/1-b of this communique, the employer must perform both the obligation of clarifying against the employee and obtaining explicit consent. The employer is required to prepare two separate documents related to “Clarification Text” and “Explicit Consent Approval” and attach them to the employee’s employment contract and store this document signed by the employee in the employee’s personal file.
4.4. Cases Where the Employer is Exempt from Obtaining Explicit Consent
As a rule, we mentioned in the previous title that the employer must obtain the express consent of the employee in their transactions related to the employee’s data in any case. However, there are also exceptional provisions in the Law regarding the fact that the employer may share some of his data without the need to obtain the consent of the employee. For example, during audits, employers may share general qualified information and documents about workers with the auditors without the employee’s consent, and again, the employer does not need to obtain the employee’s consent to share some of the employee’s data with the official institutions. For example, there is no legal problem for the employer to share the employee’s data with the relevant institutions without permission due to the obligations under withholding tax procedures and social insurance.
Data such as performance evaluation reports obtained during the continuation of the employment contract and the employee’s productivity can also be processed without the explicit consent of the employee. Obtaining data by various means of performance auditing, such as tracking the employee by taking images, is also not subject to the condition that the employee gives explicit consent, unless it is at a level that violates the employee’s private life and is limited to the legitimate purposes of the employer. But it should be noted right away that the processing of these data should be informed in written to the labor, and this application must be notified. Otherwise, the use of these data as evidence against the employee is against the law.
Fingerprint entry-exit records, which are preferred by many companies today, are also an application that may pose a problem in the context of the moderation principle. The employee’s fingerprint is a kind of biometric data, which is a personal data of a special nature. In this sense, the employer’s preference for a card pass system instead of this method is more in line with the legislation in terms of moderation and limitation for use purposes.
It should be noted that these issues should be understood in a rather limited way and should be treated as sensitively as possible by employers when recording or sharing employee data.
4.5. The Obligation to Take the Necessary Measures for the Protection of Data
As a result of living in the Internet and computer age, we now store and share a lot of information on the internet. This situation also brings new problems related to the security of our information stored on computers and the Internet. We often hear from the press that some workplaces and companies have been subjected to cyber attacks. Companies and employers who own a workplace as a person have an obligation to protect the personal data of their customers, as well as the data of the employees they work with, they have a responsibility for the security of their data.
Employers have obligations arising from the Law to ensure the confidentiality of workers’ data, to prevent unauthorized access to this data by others, to establish the necessary technical infrastructure for this. Even if the employer receives services from another workplace or company for data security, this does not eliminate its responsibility. The employer is required to pay workers compensation.
4.6. Obligations on the Transfer of Data Abroad
In order to share the personal data of the employee upcountry, the explicit consent of the employee should be sought by informing them about this. But there are also situations when it is necessary to transfer workers’ data abroad. Especially in multinational companies, data is transferred abroad or employee data is shared with foreign principles thanks to the access of foreign partner companies to the databases of these companies. In this context, the employer has two responsibilities for the employer; firstly, they must ensure the explicit consent of the employee regarding this share within the scope of KVKK. Secondly, employers are obliged to investigate whether the country in which they will share personal data can provide adequate protection for this data and not to share data when it is determined that they cannot provide it.
4.7. Registration in the Controller
According to Article 16 of KVKK No. 6698, natural and legal persons who process personal data must register in the register with the Controllers and abbreviated as VERBIS before starting to process personal data. The registration process in question can be carried out online at the internet address of the Personal Data Protection Agency.
4.8. Obligations on Deletion, Destruction or Anonymization of Data
We have mentioned that only the information required by the employees due to their employment relationship can be processed by the employers. The employer may process data only for limited use purposes. In addition, it is illegal for the employer to process employees’ personal data of a special nature, for example, their philosophical and political opinion, health, habits, and so on, and the employee may always request that such data be deleted.
The employer may also continue to store data on employees who have left their jobs only for the periods specified in the Law. At the end of these periods, they must delete or anonymize the information belonging to the employee.
Again, the information obtained from candidates during the recruitment processes should be deleted or anonymized as soon as the recruitment does not take place. It is the responsibility of the employer to continue storing and sharing their resumes with other workplaces or companies unless the explicit consent of the candidates is obtained.
5. Sanctions That Will be Applied If the Employer Does Not Fulfill Their Responsibilities
In our legislation, various sanctions related to crimes and misdemeanors (imprisonment and fines) are applied for employers who violate the regulations on personal data, and obligations to pay compensation to the persons to whom the data belongs in terms of private law are regulated.
Firstly, articles 135 to 140 of the TCK. according to the articles, it is regulated as crimes requiring imprisonment from 1 to 3 years if employers illegally record, seize, share or destroy personal data in cases that require imprisonment from 1 to 3 years. No complaint requirement is even required for the crimes of recording personal data, giving or seizing data unlawfully, and not destroying the data. Suppose the employer who commits these crimes is not a natural person but a legal entity such as a company. In that case, a legal entity-specific security measure will be applied, not a prison sentence. Each company that determines the purpose and means of data processing in subsidiaries with companies under the umbrella of a holding is responsible for these sanctions in the capacity of data officer.
Article 18 of the KVKK. provides for the imposition of a fine on natural or legal persons responsible for data in relation to the following behaviors that constitute a misdemeanor;
- From 5,000 Turkish liras to 100,000 Turkish liras about those who do not fulfill the obligation of disclosure,
- From 15,000 Turkish liras to 1,000,000 Turkish liras about those who do not fulfill obligations related to data security,
- From 25,000 Turkish liras to 1,000,000 Turkish liras about those who do not comply with the decisions made by the Personal Data Protection Board,
- An administrative fine of from 20,000 Turkish liras to 1,000,000 Turkish liras is applied for those who act contrary to the obligation to register and notify the Data Officers Register.
It should also be noted that under the provisions of private law, an employee can claim compensation from an employer on the basis of a violation of the confidentiality of private life.
The issue of personal data protection in employee-employer relations has been on the agenda of individuals and companies employers since 2016. Since there are serious sanctions for non-compliance with the KVKK legislation, it is a legal obligation for all companies to carry out compliance studies with the legislation on the protection of personal data, to create the necessary texts and to determine the privacy and data policies. In order for employers not to be involved in criminal sanctions and litigation processes of civil disputes in this regard, it is important that they have information and do the necessary information on all issues related to the necessary disclosure obligation for processing employee data, open consent texts and the lawful processing, storage, sharing and deletion of personal data. Solmaz Legal and Consulting team provides professional services regarding the completion of legal consultancy services related to personal data law and the necessary procedures. You can request legal services by contacting the expert legal staff of our team.
KÜZECİ, Elif, “Evaluation of the Law on the Protection of Personal Data No. 6698 Within the Framework of the Employment Contract: Data Controller, Data Processor, And Other Actors”, 2019, Journal of Legal Labor Law and Social Security Law October September-63, Vol.: 16, Issue: 63.
MANAV, Eda A., “Protection of Personal Data of an Employee in an Employment Relationship”, Journal of the Faculty of Law of Gazi University, C. XIX, Y. 2015.
Turkish Penal Law
The Law on the Protection of Personal Data