A practical legal guide to GDPR and Turkish KVKK compliance in human resources, covering lawful bases, employee consent, special category data, monitoring, DSARs, retention, security, and cross-border transfers.
Human resources teams now sit on some of the most sensitive data in any organization. Recruitment files, interview notes, onboarding records, payroll data, health reports, disciplinary files, access logs, performance evaluations, whistleblowing records, and exit documents all involve personal data processing. That is why GDPR and Turkish KVKK compliance in human resources is no longer a niche privacy topic. It is a core legal function for employers, especially those operating across the EU and Türkiye or using centralized HR systems across jurisdictions. The GDPR is part of the EU data protection framework, while Türkiye’s Personal Data Protection Law No. 6698, usually referred to as KVKK, protects privacy and regulates the obligations of those who process personal data in Türkiye. (European Commission)
For HR departments, the challenge is not simply that both regimes exist. The challenge is that they are similar enough to invite overconfidence, but different enough to create real compliance gaps. Both frameworks require a lawful basis, transparency, proportionality, security, retention discipline, and controlled international transfers. But they do not organize those obligations in exactly the same way, and they do not use the same operational tools. In practice, a company that assumes “GDPR-compliant” automatically means “KVKK-compliant” is taking a risk, especially in employee monitoring, sensitive data handling, registry obligations, data subject response workflows, and cross-border HR transfers. (edpb.europa.eu)
Why HR needs a side-by-side GDPR and KVKK strategy
The GDPR applies across the European Economic Area and can also apply to certain non-EEA organizations, including those offering goods or services to individuals in the EEA or processing personal data on behalf of EEA-based organizations. KVKK, by contrast, is Türkiye’s national data protection law and applies to the processing of personal data in the Turkish legal framework. As a result, multinational employers often face both regimes at once: GDPR for EU-facing HR operations and KVKK for Turkish employees, Turkish entities, or Turkish HR databases. (edpb.europa.eu)
This dual exposure becomes especially visible in common HR workflows. A Turkish subsidiary may recruit employees through a group-wide ATS hosted in the EU. A European headquarters may run performance management or internal investigation systems that also contain data from Turkish personnel. A regional HR team may use one privacy notice, one DSAR process, and one transfer model for all staff. Legally, that is where trouble begins. GDPR and KVKK overlap on first principles, but each regime has its own logic on lawful basis, notice content, special category data, response timing, accountability architecture, and transfer mechanics. (edpb.europa.eu)
Lawful basis: the first question HR should ask
Under the GDPR, controllers must rely on a legal basis for processing personal data lawfully. The EDPB summarizes the available bases as consent, contractual necessity, legal obligation, public-interest tasks, vital interests, and legitimate interests. It also stresses that choosing the legal basis is not a formality, because the basis carries different requirements and affects the rights that individuals can exercise. (edpb.europa.eu)
KVKK is structured similarly but not identically. Article 5 starts from the rule that personal data may not be processed without the data subject’s explicit consent, then lists alternative bases, including cases where processing is expressly provided by law, necessary to protect life or physical integrity, directly related to the establishment or performance of a contract, necessary for compliance with a legal obligation, necessary for the establishment, exercise, or protection of a right, or necessary for the controller’s legitimate interests so long as the data subject’s fundamental rights and freedoms are not violated. (KVKK)
For HR, the practical lesson under both systems is the same: do not default to consent. Payroll, social security compliance, benefits administration, attendance management, internal investigations, disciplinary files, and defense of legal claims often have more appropriate bases than consent. On the GDPR side, the EDPB expressly says consent in the employment context is problematic because of the imbalance of power between employer and employee; it says employees can usually give free consent only in exceptional circumstances with no adverse consequences. On the KVKK side, Article 5 already gives HR teams several alternative grounds that usually fit employment processing better than explicit consent.
That point matters because HR compliance often fails at the design stage. If the real reason for processing salary data is contract performance, or the real reason for keeping litigation-related files is the establishment or protection of a right, the employer should say so and build the workflow around that basis. A consent checkbox cannot cure a poor legal analysis. In both regimes, lawful processing begins with identifying the real basis, not the most convenient-looking basis. (edpb.europa.eu)
Special category data: where HR risk rises sharply
Both GDPR and KVKK treat sensitive data as a higher-risk category. The EDPB explains that “sensitive data” or special categories include data revealing health, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and biometric and genetic data, and that processing such data is generally prohibited except in specific circumstances. (edpb.europa.eu)
KVKK Article 6 is similarly strict. It classifies data on race, ethnic origin, political opinion, philosophical belief, religion, other beliefs, appearance, association or trade-union membership, health, sexual life, criminal convictions and security measures, and biometric and genetic data as special categories. It then states that processing is prohibited unless one of the listed conditions exists, including explicit consent, express legal provision, the establishment or protection of a right, health-care related grounds, and, critically for HR, necessity for legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance. (KVKK)
This makes KVKK especially important for HR teams handling occupational health files, sick leave records, disability accommodations, workplace physician interactions, biometric access systems, background checks, and union-related information. It also means that Turkish HR teams should not assume special category processing always requires consent. In some employment contexts, KVKK now expressly recognizes an employment-law basis. But that does not make the data ordinary. It still requires narrower access, stronger safeguards, and a clear purpose. (KVKK)
Under GDPR, the same practical caution applies. Even where an Article 9 exception is available, HR should treat special category data as exceptional, not routine. The safest approach under both systems is to collect the minimum amount necessary, separate sensitive data from general personnel records where possible, restrict access tightly, and document why the organization needs the data in the first place. (edpb.europa.eu)
Transparency and employee privacy notices
Transparency is a central requirement under both laws. The EDPB states that GDPR processing must be lawful, fair, and transparent, and that individuals must be informed about what is done with their data, by whom, how, and why. It also notes that if processing changes materially, including new recipients, a compatible new purpose, or a transfer outside the EEA, the organization should inform the data subject before the change takes effect. (edpb.europa.eu)
KVKK Article 10 imposes a comparable but specifically codified information duty. At the time personal data are obtained, the controller or its representative must inform the data subject about the identity of the controller and any representative, the purpose of processing, possible recipients and transfer purposes, the method and legal basis of collection, and the rights listed in Article 11. KVKK also attaches administrative sanctions to failures to comply with the information duty. (KVKK)
For HR, this means privacy notices should not be generic corporate text pasted into an onboarding packet. Recruitment, onboarding, performance management, investigations, CCTV, access control, whistleblowing, remote work, payroll, and offboarding often involve different data categories, recipients, legal bases, and retention logic. A privacy framework that is too vague for employees to understand or too broad to be accurate is weak under both regimes. (edpb.europa.eu)
Employee rights and DSAR timing
GDPR and KVKK both give employees enforceable rights, but the mechanics differ. The EDPB explains that data controllers must facilitate the exercise of data subject rights and, as a general rule, answer within one month. It also states that if a request is complex, the response period may be extended by two further months, provided the individual is informed within the first month. The EDPB’s access-rights guidelines likewise emphasize that requests should be handled as soon as possible and in any event within one month of receipt. (edpb.europa.eu)
KVKK Articles 11 and 13 create a more formal request route. Article 11 gives the data subject rights including learning whether data are processed, understanding the purpose of processing, learning recipients in-country or abroad, requesting correction, requesting erasure or destruction under Article 7, objecting to automated decisions producing adverse effects, and seeking compensation for unlawful processing. Article 13 then requires the controller to conclude the request as soon as possible and at the latest within thirty days. (KVKK)
For HR teams, the consequence is operational. A group-wide “DSAR policy” based purely on GDPR’s one-month model is not enough for Turkish compliance unless it also reflects KVKK’s request channel and escalation logic. Likewise, a Turkish-only KVKK workflow may not be enough for EU-facing HR operations if it ignores GDPR’s broader access expectations and extension rules. In cross-border HR practice, it is safer to build one robust intake-and-triage system that can classify requests by regime and then apply the correct deadline and response content. (edpb.europa.eu)
Monitoring, access control, and biometrics
Employee monitoring is one of the hardest areas to harmonize. Under the older but still influential Article 29 Working Party Opinion 2/2017 on data processing at work, employers should not monitor employees where the purpose can be achieved by less intrusive means. That principle remains highly relevant in GDPR practice because it reflects the broader requirements of necessity, proportionality, and fairness in employment settings. (European Commission)
KVKK has taken a similarly cautious line on biometrics. In its published 2022/662 summary, the Board treated hand-geometry data used for building access as biometric sensitive data and concluded that the processing was unlawful on the facts presented. The published summary also underlines that workplace methods involving processing and sharing of personal data must preserve constitutional guarantees protecting employee rights and freedoms. (KVKK)
The combined lesson is straightforward. HR should not choose the most intrusive monitoring technology merely because it is efficient. Before deploying biometric attendance, geolocation, always-on remote monitoring, or expansive access tracking, employers should ask whether a less intrusive alternative would achieve the same goal. Under both GDPR and KVKK, proportionality is not an abstract concept. It directly shapes whether employee monitoring is defensible. (European Commission)
Records, accountability, and governance
One major practical difference between the two systems lies in accountability tooling. The EDPB’s SME guide states that organizations have a duty to keep a record of their data processing activities in writing, including electronically, and it expressly uses HR examples such as recruitment, payroll management, training, and badge and access management. (edpb.europa.eu)
KVKK approaches governance through registry and inventory concepts. Article 16 creates the Data Controllers’ Registry, makes it public, and requires registration before processing starts unless the Board grants a derogation based on objective criteria. The provision also requires disclosure of processing purpose, data subject groups and data categories, recipients, data transferred abroad, security measures, and maximum storage period. The Data Controllers’ Registry By-Law and VERBİS structure then operationalize that approach. (KVKK)
As a practical matter, GDPR HR compliance often centers on Article 30-style records of processing, while KVKK HR compliance often centers on VERBİS registration where applicable, processing inventories, and disclosure fields tied to the Turkish registry model. A multinational HR team should therefore not assume that one governance document automatically satisfies both systems. The underlying information overlaps, but the compliance outputs differ. (edpb.europa.eu)
Retention, deletion, and disposal
Retention discipline is another area where HR teams often underestimate the legal risk. The EDPB explains that GDPR requires storage limitation, meaning personal data must be kept only for as long as necessary for the relevant purpose, and the European Commission states that data should be stored for the shortest time possible, taking into account both the processing purpose and any legal obligation to retain data, such as labor or tax rules. The EDPB also recommends having internal retention periods and deletion procedures. (edpb.europa.eu)
KVKK mirrors this logic. Article 4 requires personal data to be relevant, limited, and proportionate and stored only for the period laid down in legislation or required by the purpose of processing. The By-Law on Erasure, Destruction or Anonymization of Personal Data then states that data must be erased, destroyed, or anonymized ex officio or upon request once the processing conditions in Articles 5 and 6 no longer exist, and it requires disposal operations to be recorded and retained for at least three years. (KVKK)
For HR, this means employee data should not be kept forever by default. CV pools, interview notes, disciplinary warnings, access logs, outdated medical records, former employee files, and investigation materials all need retention logic. Under both regimes, indefinite storage without a clear legal or operational basis is difficult to justify. (European Commission)
Security, processors, and breach response
GDPR and KVKK both expect HR data to be protected with real technical and organizational measures. KVKK Article 12 requires controllers to prevent unlawful processing, prevent unlawful access, and ensure data security; it also states that controllers remain jointly responsible with processors acting on their behalf. The article further requires audits and breach notification to the data subject and the Board within the shortest time if data are unlawfully obtained by others. KVKK’s 2019/10 breach notification decision and the Authority’s security guidance further clarify that where notification cannot be made within 72 hours, the reasons for delay should be included. (KVKK)
GDPR follows a comparable but more explicitly timed approach. The European Commission states that if a breach is likely to pose a risk to individuals’ rights and freedoms, the supervisory authority must be notified without undue delay and at the latest within 72 hours after awareness. The EDPB gives the same 72-hour rule in its breach guidance and notes that if the breach is likely to result in a high risk, affected individuals may also need to be informed without undue delay. (European Commission)
For HR teams, the operational conclusion is simple: outsourced payroll, cloud HR suites, applicant tracking systems, and whistleblowing vendors do not remove employer responsibility. Both systems expect controller-side governance over processors, and both require a breach workflow that can identify, assess, escalate, document, and notify HR-related incidents quickly. (KVKK)
Cross-border HR systems and international transfers
Cross-border HR data flows are where GDPR and KVKK diverge most visibly in practice. The EDPB explains that transfers outside the EEA are restricted and must comply with Chapter V of the GDPR; it identifies adequacy decisions and appropriate safeguards as the main routes, with derogations available only in limited cases. The European Commission’s SCC guidance confirms that standard contractual clauses are pre-approved model clauses that can be used for controller-processor relationships and for international transfers outside the EEA. (edpb.europa.eu)
KVKK changed significantly in this area in 2024. Article 9 now allows transfers abroad if an Article 5 or 6 condition is met and there is an adequacy decision. In the absence of adequacy, transfer is still possible if an Article 5 or 6 condition exists, data subjects retain enforceable rights and effective legal remedies, and an appropriate safeguard is used. The Board and Authority then published the By-Law on the Procedures and Principles for the Transfer of Personal Data Abroad and standard contract texts, including controller-to-controller and other transfer models. (KVKK)
This matters immensely for human resources because HR data are often moved internationally by design. Global payroll support, shared-services centers, regional talent systems, group compliance investigations, and remote IT support all create transfer questions. Under GDPR, EU SCCs remain a central practical tool. Under KVKK, the new Turkish standard contracts and the amended Article 9 structure are now central. A company that uses only EU SCCs for Turkish employee data, or only Turkish standard contracts for EEA-origin HR data, may still leave a gap on the other side of the bridge. (European Commission)
What HR departments should actually do
A workable compliance model begins with mapping the employee data lifecycle: recruitment, onboarding, payroll, timekeeping, benefits, performance, monitoring, investigations, and offboarding. For each process, HR should identify the applicable regime or regimes, the legal basis, whether special category data are involved, which notices apply, who receives the data, whether processors are involved, whether the data leave the EEA or Türkiye, and what retention period applies. That kind of mapping is squarely aligned with GDPR’s record-of-processing logic and KVKK’s registry-and-inventory logic. (edpb.europa.eu)
Second, HR should stop using one universal “employee consent form” as the backbone of privacy compliance. Under GDPR, the EDPB says employment consent is usually not freely given except in exceptional situations. Under KVKK, Article 5 and Article 6 already provide several non-consent grounds that often fit HR workflows better. The legally safer strategy is to reserve consent for genuinely optional processing and to document the real lawful basis for everything else.
Third, international groups should separate GDPR transfer tooling from KVKK transfer tooling instead of assuming they are interchangeable. EU SCCs serve one legal system; the updated Turkish Article 9 regime and Turkish standard contracts serve another. If one HR platform contains both EEA and Turkish personnel data, the organization may need a dual transfer analysis rather than a single form. (European Commission)
Conclusion
GDPR and Turkish KVKK compliance in human resources should be treated as a combined governance discipline, not as two labels for the same thing. Both regimes require lawfulness, fairness, proportionality, transparency, secure processing, controlled retention, and disciplined international transfers. But they differ in how HR teams should operationalize those duties, especially on consent, employee rights workflows, accountability tools, biometrics, registry obligations, and cross-border data transfer mechanisms. (edpb.europa.eu)
For employers, the strongest approach is not to choose between a “GDPR program” and a “KVKK program.” It is to build one HR privacy architecture that can identify which regime applies at each step and then execute the correct notice, legal basis, access, retention, security, and transfer workflow for that dataset. That is the practical meaning of compliant HR data governance in 2026. (edpb.europa.eu)
Yanıt yok