Türkiye Bans Routine Use of Biometric Data for Employee Attendance Tracking

Recent landmark decisions by the Constitutional Court (Anayasa Mahkemesi) and the Council of State (Danıştay) have fundamentally changed the legal landscape regarding the use of biometric data (fingerprint, palm vein, and facial recognition) for employee attendance tracking in Türkiye. These rulings, together with guidance from the Personal Data Protection Authority (KVKK), set out strict limitations and clarify employer obligations under Turkish law.

Key Developments and Legal Background

• Biometric Data as Special Category Data: Under Turkish law, biometric data are classified as “special category” personal data. Their processing is subject to heightened legal safeguards.
• Court Rulings: Both the Constitutional Court and the Council of State have ruled that collecting and processing biometric data for routine attendance tracking constitutes a significant interference with employees’ right to privacy and data protection.
• Legal Basis Required: Such processing is only lawful if there is a clear and specific legal basis or with the employee’s explicit, informed, and freely given consent. However, the courts have ruled that consent obtained under the threat of disciplinary action or as a condition of employment is not valid.
• Necessity and Proportionality: Even with consent, the use of biometric data must be necessary and proportionate. The courts have emphasized that less intrusive alternatives should be used unless there is a demonstrable, exceptional security need.
• Unlawful Practices and Sanctions: The KVKK imposes administrative fines on employers for unlawful biometric data processing, and the courts annul the use of biometric systems for attendance tracking where no compelling security justification exists. In a recent decision, the KVKK ruled that an employer processing biometric data using a facial recognition system for employee entry and exit must pay an administrative fine of TRY 500,000.

Practical Implications for Employers

• Routine Use Prohibited: Employers may not use biometric systems for routine attendance tracking unless there is a clear, exceptional security requirement that cannot be met by less intrusive means.
• Consent Alone Is Not Sufficient: Even if employees provide consent, this does not legitimize the processing unless it is truly voluntary and there is no imbalance of power or implicit coercion.
• Alternative Methods Required: Employers should implement alternative, less intrusive attendance tracking methods and ensure that all personal data processing complies with the principles of necessity, proportionality, and data minimization.
• Review and Update Policies: Employers are strongly advised to review their current practices, update internal policies, and ensure full compliance with the KVKK and relevant constitutional protections to avoid legal and regulatory risks.

For further information on these developments and their implications for your business, please contact your CMS partner or local CMS experts in Employment and Data Protection Law: Dr. Döne Yalçın or Erdinç Dalar.