Learn how employee personal data protection works in HR management in Turkey, including lawful bases, special category data, personnel files, monitoring, retention, cross-border transfers, and employer compliance.
Employee data sits at the center of modern HR. Recruitment files, onboarding records, payroll information, attendance logs, health documents, disciplinary records, performance evaluations, exit paperwork, and international HR-system entries all involve the processing of personal data. In Turkey, that means HR management is also a data protection function. The legal framework is built primarily on the Personal Data Protection Law No. 6698, but it is also shaped by Article 419 of the Turkish Code of Obligations, which limits how employers may use employee data, and Article 75 of Labour Act No. 4857, which requires employers to maintain personnel files while also respecting confidentiality. In other words, employee personal data protection in HR management is not a side issue. It is part of the legal structure of employment itself. (KVKK)
The starting point is the purpose of the Turkish data protection regime. Article 1 of Law No. 6698 states that the law is intended to protect fundamental rights and freedoms, especially the right to privacy, and to regulate the obligations, principles, and procedures binding on natural and legal persons who process personal data. That broad formulation matters in employment because the employer is not free to treat HR information merely as a business asset. Employee data protection is grounded in fundamental rights, which means every HR workflow must be assessed not only for operational convenience but also for legality, necessity, proportionality, and accountability. (KVKK)
Turkish employment law adds a more specific employment-focused rule. Article 419 of the Turkish Code of Obligations provides that the employer may use the employee’s personal data only to the extent necessary for the employee’s suitability for work or for the performance of the service contract, while special statutory provisions remain reserved. This is a very important limitation. It means HR data processing is not open-ended. Even where a company has technological capacity to collect more information, Turkish law still asks whether the data are genuinely related to job suitability or genuinely necessary for the employment relationship. That principle should shape recruitment, monitoring, disciplinary files, and offboarding alike.
The same logic appears in Labour Act No. 4857. Article 75 requires the employer to create a personnel file for each employee and to keep the documents and records required under labour legislation and other laws. But the article also says the employer must use the information obtained about the employee in accordance with honesty and law and may not disclose information that the employee has a justified interest in keeping secret. So Turkish labour law does not simply authorize HR recordkeeping. It imposes confidentiality discipline at the same time. That is why personnel files, HRIS systems, payroll archives, and investigation folders should all be treated as legally sensitive repositories rather than ordinary internal folders. (Natlex)
Why HR processing requires a legal basis
Under Article 5 of the Personal Data Protection Law, the general rule is that personal data may not be processed without the explicit consent of the data subject. But the same article also lists several alternative lawful bases, including where processing is expressly provided by law, directly related to the establishment or performance of a contract, necessary for compliance with a legal obligation, necessary for the establishment, exercise, or protection of a right, or necessary for the legitimate interests of the controller provided the employee’s fundamental rights and freedoms are not overridden. For HR practice, this is decisive. Many routine employment processes do not depend on consent at all. Payroll, social security reporting, employment contract administration, workplace discipline files, and legal defense records often rest on contractual necessity, legal obligation, rights protection, or legitimate interest instead. (KVKK)
This is why relying automatically on consent in HR can be legally clumsy. If the true reason for processing a data set is legal obligation or contract performance, a blanket consent form may not solve anything and may actually obscure the real compliance basis. In employment relationships, imbalance of power also makes “free” consent a difficult concept in some situations. The better approach is to map each HR process to its actual legal basis. Salary payments and insurance notifications are not the same as optional employee photographs for a marketing brochure, and a litigation file is not the same as a wellness-program survey. Lawful HR governance depends on separating those categories clearly. (KVKK)
General principles: the core rules every HR team should follow
Article 4 of Law No. 6698 sets out the core principles of personal data processing. Data must be processed lawfully and fairly, kept accurate and up to date where necessary, processed for specified, explicit, and legitimate purposes, kept relevant, limited, and proportionate to those purposes, and stored only for the period laid down by legislation or required by the processing purpose. These are not abstract principles. They are the everyday legal test for HR management. If an employer collects far more documents than the role requires, stores employee records indefinitely without a real retention logic, or reuses one set of HR data for a new unrelated purpose, the employer is moving outside the legal framework even before any breach occurs. (KVKK)
For HR departments, proportionality is especially important. It is easy for onboarding checklists to grow over time until they include unnecessary identity details, excessive family information, broad health records, or role-irrelevant documents. But Article 4’s relevance and proportionality requirements do not permit “collect everything just in case” thinking. In Turkish data protection law, more data does not mean better compliance. It often means more risk. A disciplined HR team should therefore define, for each process, what is truly needed and why it is needed. (KVKK)
Special category employee data
Employee files often include special category data, and those categories are regulated more strictly. Article 6 of the Personal Data Protection Law lists data on race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, association or trade-union membership, health, sexual life, criminal convictions and security measures, and biometric and genetic data as special categories of personal data. Article 6(3), as amended in 2024, states that processing such data is generally prohibited unless one of the stated conditions exists, including explicit consent, express legal provision, protection of life or physical integrity, establishment or protection of a right, certain health-related purposes, or necessity for legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance. (KVKK)
This employment-specific lawful basis is one of the most important rules for HR professionals. It means that not every health report, disability document, criminal-record extract, union-related record, or biometric entry system depends on consent. But it also means those data cannot be handled casually. They require a proper statutory basis, strict need-based collection, and tighter security. For example, a workplace physician’s handling of certain health data and an employer’s handling of ordinary contact details are not subject to the same legal sensitivity. HR teams should therefore classify employee data and apply stronger controls to special category information. (KVKK)
Recruitment and onboarding: collect less, justify more
One of the clearest official warnings for HR comes from the Personal Data Protection Board’s Decision No. 2022/172. In the published summary, the Board described a case in which a foreign-based data controller’s liaison office in Türkiye requested, after the candidate was accepted to work, documents such as a criminal record, health report, lung film report, blood group certificate, driver’s license copy, marriage certificate copy, and identity cards of family members. The published summary states that requesting family members’ identity-card information contradicted Article 4’s general principles, and it also raised issues concerning special category processing and possible cross-border transfers. This decision shows that recruitment and onboarding are not open collection zones. Even after selection, HR must still prove relevance, legal basis, and proportionality. (KVKK)
The lesson is practical. A role may justify a criminal-record check, a fitness certificate, or a license copy in some sectors, but not every role justifies every document. HR should therefore design onboarding packs by function, not by habit. A finance employee, a driver, a remote software developer, and a factory worker may all require different data sets. Turkish law supports necessity-based collection, not one-size-fits-all documentation. (KVKK)
Transparency and employee information duties
Article 10 of the Personal Data Protection Law imposes an obligation to inform. At the time data are obtained, the data controller or its authorized person must inform the employee about the identity of the controller and any representative, the purpose of processing, the persons or categories to whom the data may be transferred and the purposes of transfer, the method and legal basis of collection, and the employee’s Article 11 rights. In HR terms, this means employee privacy notices are not optional. Employers should not assume that a short clause in the employment contract automatically satisfies the duty to inform for all HR operations. (KVKK)
This obligation matters across the whole employment cycle. Recruitment notices, onboarding privacy texts, staff-monitoring notices, whistleblowing or investigation notices, and exit-stage notices may all require tailored wording depending on how the employer collects and uses data. Article 10 is about timing as well as content: the employee should understand the processing when the data are obtained, not only later if a dispute arises. A legally sound HR system therefore matches each significant processing stage with a corresponding transparency document or process. (KVKK)
Employee rights under Article 11
Employees are not passive subjects of HR data processing. Article 11 gives every person the right to learn whether personal data are processed, request information about processing, learn the purpose of processing and whether the data are used accordingly, know the third parties to whom data are transferred at home or abroad, request correction of incomplete or inaccurate data, request erasure or destruction where Article 7 conditions are met, request notification of correction or deletion to recipients, object to adverse outcomes produced solely by automated analysis, and claim compensation for damage arising from unlawful processing. For employers, this means HR data governance must be built to answer employee requests, not just to store records. (KVKK)
Article 11 is particularly significant in modern HR analytics. If an employer uses automated tools to score attendance risk, productivity, promotion eligibility, or misconduct likelihood, the objection right becomes especially relevant. Even where the company uses software for efficiency, Turkish law still preserves the employee’s ability to challenge adverse results produced solely through automated systems. That makes governance over HR technologies, dashboards, and AI-assisted decision support a live compliance issue rather than a future problem. (KVKK)
Security, processors, and data breaches
Article 12 of the Personal Data Protection Law requires the data controller to take all necessary technical and organizational measures to ensure an appropriate security level, specifically to prevent unlawful processing, prevent unlawful access, and ensure protection of personal data. The same article says that where another natural or legal person processes data on behalf of the controller, the controller and processor are jointly responsible for taking these measures. It also requires the controller to conduct or commission the necessary audits and imposes a continuing confidentiality obligation even after a person’s role ends. In HR practice, that means payroll vendors, cloud HR platforms, benefits administrators, and external consultants do not remove the employer’s responsibility. (KVKK)
The breach rule is equally important. Article 12(5) requires the controller to notify the data subject and the Board within the shortest time if processed data are obtained unlawfully by others. KVKK’s official guidance states that the Board interpreted “the shortest time” as 72 hours in Decision No. 2019/10 and that delayed notices should explain the reason for delay. For HR teams, this matters because employee data breaches are not hypothetical. Lost laptops, exposed payroll files, misdirected disciplinary emails, misconfigured access permissions, and cloud-platform incidents can all trigger notification obligations. A mature HR compliance system therefore needs a breach escalation protocol, not only a privacy notice. (KVKK)
Monitoring, attendance systems, and biometrics
Employee monitoring is one of the highest-risk areas in HR data protection. Entry systems, attendance controls, remote-work monitoring tools, and identity-verification mechanisms often tempt employers toward overly intrusive solutions. The KVKK Board’s published Decision No. 2022/662 is highly instructive here. In that case, the Board concluded that “hand geometry” data used for access control constituted biometric sensitive data in the circumstances and found that the controller had processed special category biometric data without a valid Article 6 condition. The Board imposed an administrative fine and ordered the processing to cease and the biometric data to be destroyed. (KVKK)
The broader lesson is that employers should not assume that a more advanced attendance or access technology is automatically lawful merely because it is efficient. Where identity verification can be achieved with less intrusive means, biometric solutions will face heavier scrutiny. In HR management, necessity and proportionality should be tested before deploying fingerprint, face, palm, hand-geometry, or similar systems. A lawful workforce-management tool is not simply one that works; it is one whose legal basis, necessity, and security can be defended. (KVKK)
Retention, erasure, destruction, and anonymization
Storage discipline is a core part of employee personal data protection in HR management. The By-Law on Erasure, Destruction or Anonymization of Personal Data states that personal data must be erased, destroyed, or anonymized ex officio or upon request when the processing conditions in Articles 5 and 6 no longer exist. It also requires data controllers to record all disposal operations and keep those records for at least three years. Controllers that have a storage and disposal policy must carry out the first periodic disposal after the deletion obligation arises, and the periodic disposal interval may not exceed six months; controllers not obliged to issue such a policy must erase, destroy, or anonymize data within three months after the obligation arises. (KVKK)
For HR, this means employee data should not be kept forever simply because it may become useful. CVs of unsuccessful candidates, outdated health records, old access logs, legacy disciplinary material, closed investigation files, and former-employee documents all need a retention logic tied to law and purpose. A defensible HR archive is not the same as a limitless archive. Retention schedules, deletion triggers, and destruction records are part of compliance, not mere housekeeping. (KVKK)
Cross-border HR systems and transfers abroad
Cross-border HR platforms are now common, but Turkish law treats foreign transfer as a separate compliance step. Article 9, amended in 2024, allows transfer abroad where one of the Article 5 or 6 conditions exists and there is an adequacy decision for the destination. In the absence of adequacy, Article 9 allows transfer if one of the Article 5 or 6 conditions is met, the employee retains enforceable rights and effective legal remedies in the receiving country, and one of the recognized appropriate safeguards is in place. KVKK announced in August 2024 that it had published the English translations of the new By-Law on the Procedures and Principles for the Transfer of Personal Data Abroad and the standard contract texts announced in July 2024. (KVKK)
This is particularly important for global HR. International groups often centralize payroll support, performance systems, talent databases, or investigation records outside Türkiye. But operational convenience does not remove Article 9. If employee data move to foreign affiliates, regional HR hubs, or software providers abroad, the employer should validate the processing condition and the transfer mechanism. In 2026, cross-border HR compliance in Turkey is no longer something employers can safely defer. (KVKK)
Inventory, governance, and VERBIS-facing preparation
Where registry obligations apply, the governance burden goes beyond a privacy notice. The Data Controllers’ Registry By-Law states that data controllers under registration obligation must register before processing starts and must prepare a Personal Data Processing Inventory. It also says the information entered into the Registry is based on that inventory and forms the basis for the Article 10 information obligation, responses to data-subject requests, and the determination of the scope of explicit consent where consent is used. This makes the inventory function especially important for HR. It forces the employer to map business processes, legal grounds, data categories, retention periods, transfer recipients, and security measures. (KVKK)
Even where a particular employer may fall outside registration obligation, the inventory logic remains a best-practice model for HR compliance. A company that cannot explain what employee data it collects, why it collects them, how long it keeps them, who receives them, and what security measures apply is already operating blindly. Inventory discipline is therefore not merely a regulatory burden. It is the practical foundation of lawful HR management. (KVKK)
Conclusion
In Turkey, employee personal data protection in HR management is governed by a layered structure: the Personal Data Protection Law establishes the general principles, lawful bases, employee rights, security duties, and transfer rules; the Turkish Code of Obligations limits employers to data relevant to job suitability or necessary for performance of the service contract; and the Labour Act requires personnel files while imposing confidentiality discipline. Board decisions on recruitment-stage document requests and biometric access systems show that the law is applied concretely, not just theoretically. (KVKK)
For employers, the safest path is clear. Build HR data flows around legal basis rather than habit. Separate ordinary from special category data. Inform employees properly. Limit collection to what is necessary. Secure processors and internal access. Plan for deletion as carefully as for storage. Test monitoring tools for proportionality. And treat international HR transfers as a real compliance question, not a technical detail. When those steps are followed, employee data protection stops being a reactive legal problem and becomes a stable part of good HR governance. (KVKK)
Yanıt yok