Learn how workplace policies and internal regulations should be drafted and implemented in Turkey, including legal limits on handbooks, disciplinary rules, data protection, working time, leave, occupational safety, remote work, and union rights.
In every business, workplace policies and internal regulations are meant to create order. They explain how work is performed, how employees should behave, how attendance and leave are managed, how confidential information is protected, how disciplinary issues are handled, and how the employer expects managers and staff to interact in daily operations. Yet in Turkey, these texts are not merely management tools. They sit inside a mandatory legal framework shaped by Labour Law No. 4857, Occupational Health and Safety Law No. 6331, the Personal Data Protection Law No. 6698, the Remote Work Regulation, and, where collective labor rights are implicated, Law No. 6356 on Trade Unions and Collective Bargaining Agreements. A policy that looks practical from a business perspective can still be unenforceable if it conflicts with statutory rights or if it tries to change working conditions without following the required legal procedure. (Çalışma ve Sosyal Güvenlik Bakanlığı)
That is why workplace policies and internal regulations should be drafted as legal compliance documents, not as informal management notes. Turkish law does allow employers to organize the workplace and issue internal rules, but that freedom is limited by mandatory protections on equality, wages, working time, annual leave, occupational health and safety, privacy, union freedom, and contractual stability. The real legal question is not whether an employer may issue a handbook or internal regulation. The real question is which parts of that handbook are merely operational, which parts become binding working conditions, and which parts cross the line into unlawful unilateral change.
What workplace policies and internal regulations mean under Turkish law
Turkish labour legislation does not rely on a single statutory definition of “employee handbook” or “internal regulation” in the way some other jurisdictions do. But Labour Law No. 4857 clearly recognizes that working conditions may arise not only from the employment contract itself, but also from “personnel regulations and similar sources annexed to the employment contract” and from workplace practice. Article 22 is the key provision. It states that the employer may make a substantial change in working conditions created by the employment contract, annexed personnel regulations and similar sources, or workplace practice only by notifying the employee in writing. If the change is not accepted by the employee in writing within six working days, it does not bind the employee.
This article is central because it explains the legal function of workplace policies. Internal regulations are not legally irrelevant. On the contrary, they may become part of the employee’s working conditions. That is precisely why employers must be careful. Once a policy moves beyond day-to-day workflow and starts shaping matters such as working hours, pay structure, location of work, reporting lines, performance obligations, remote work arrangements, or other core conditions, the employer is no longer dealing with a purely managerial memo. The employer is operating in the field of binding labour conditions.
For employers, the practical consequence is straightforward. A workplace handbook can lawfully regulate matters like disciplinary procedure, IT use, confidentiality, attendance recording, leave application workflow, workplace conduct, health and safety reporting, and complaint channels. But if the employer uses the same handbook to cut benefits, extend hours, relocate staff, reduce flexibility, or introduce materially heavier obligations without following the written notice and acceptance mechanism, the policy may fail as a matter of law. This is one of the most common legal mistakes in HR practice: assuming that publishing a new policy is the same thing as lawfully changing employment terms. It is not.
The first legal limit: internal rules cannot override mandatory labour rights
The first and most basic limit is that workplace rules cannot override mandatory legislation. Labour Law No. 4857 states that its purpose is to regulate the rights and responsibilities relating to the working conditions and work environment of employees working under an employment contract, and it applies broadly to covered workplaces, employers, employer representatives, and employees. That means an internal policy is subordinate to the law. If a handbook says something inconsistent with statutory rights, the handbook does not prevail. (Çalışma ve Sosyal Güvenlik Bakanlığı)
This matters in several core areas. Article 63 of the Labour Law provides that normal weekly working time is generally a maximum of forty-five hours. The law also allows distribution of that weekly time across working days, but only within statutory limits and subject to the equalization framework. An internal rule saying that the company’s standard schedule is fifty hours per week, or that management may assign unlimited extra time whenever needed, would not become lawful merely because it appears in the handbook. The policy must stay within the legal ceiling and the structure of overtime rules.
The same principle applies to wages and payroll records. Article 37 requires the employer to provide the employee with a signed or specially marked wage slip showing the payment date, the period concerned, additions to the main wage such as overtime and holiday pay, and deductions such as tax and insurance contributions. A workplace policy cannot lawfully replace this statutory requirement with a vague payroll statement or an undocumented payment practice. Internal rules may organize payroll workflow, but they cannot reduce the employee’s statutory information rights.
Annual leave is another area where employers often rely too heavily on internal policy language. The Annual Paid Leave Regulation requires employers to keep a leave record document, and in workplaces with more than one hundred employees it requires an annual leave board composed of employer and employee representatives. The Regulation also requires the employer to announce certain leave periods if it decides to group leave in particular times of the year. So an employer may create an internal leave policy, but that policy must fit within the statutory leave regime, including leave records, leave planning, and the non-waivable minimum leave rights recognized in the Labour Law and its regulation.
The second legal limit: substantial changes require written notice and acceptance
Article 22 is the most important rule for any employer revising internal regulations. The article expressly covers working conditions arising from the employment contract, annexed personnel regulations and similar sources, and workplace practice. A substantial change requires written notice, and the change does not bind the employee unless the employee accepts it in writing within six working days. If the employee refuses, the employer may proceed only by explaining in writing that the proposed change is based on a valid reason or that another valid reason for termination exists, and by complying with termination notice rules.
In practical HR terms, this means not every policy update is equal. An employer may revise formatting rules, reporting templates, or meeting procedures without necessarily changing the employee’s legal working conditions. But where the revised policy materially affects wage structure, core hours, the work location, the mode of work, the employee’s level of autonomy, or comparable essentials, the safer legal view is that Article 22 must be respected. This is not only a drafting issue. It is also an implementation issue. The employer should distinguish between managerial instructions and policy changes that actually alter the employment bargain.
This distinction becomes particularly important in remote and hybrid work. The Remote Work Regulation states that a remote employment relationship is based on a written arrangement, and Article 14 provides that an existing on-site employment contract may be converted into remote work by agreement between employer and employee. The worker’s written request is to be evaluated under the employer’s internal procedure, and if accepted, a contract complying with Article 5 must be made. That means an employer cannot simply issue a one-page IT announcement and turn on-site employment into remote work or vice versa as though this were only an administrative preference. Where the working model is a core term, the written agreement structure matters.
Equal treatment and anti-discrimination as hard limits on policy design
Article 5 of the Labour Law prohibits discrimination in the employment relationship on grounds such as language, race, color, sex, disability, political opinion, philosophical belief, religion, sect, and similar reasons. It also bars unjustified differential treatment between full-time and part-time employees and between indefinite-term and fixed-term employees, and it prohibits direct or indirect discrimination because of sex or pregnancy in the making, conditions, implementation, and termination of the employment contract unless objectively justified by biology or the nature of the work.
Because of this, a workplace policy may not be neutral on paper but discriminatory in effect. A dress code that is disproportionately applied to one gender, a promotion policy that penalizes maternity-related absence, a remote work policy that excludes part-time staff without objective reason, or a performance rule that systematically disadvantages disabled employees can all raise legal risk even if the text is framed as a general internal regulation. Anti-discrimination compliance therefore requires more than avoiding explicitly unlawful wording. It requires checking whether the policy’s structure and day-to-day application produce unequal treatment.
This is also where best practice matters. Employers should test policies against real workforce categories before publication. That includes full-time and part-time staff, fixed-term and indefinite-term staff, pregnant employees, older workers, disabled workers, and workers on different schedules. The legal risk in many disputes is not that the employer openly intended discrimination, but that it failed to examine how a policy would function in practice.
Union rights and employee representation cannot be restricted by internal rules
Internal regulations must also respect collective labor rights. Law No. 6356 states that recruitment cannot be made conditional on joining or not joining a particular union, remaining in or leaving a union, or union membership generally. It also prohibits discrimination between unionized and non-unionized workers, or between workers belonging to different unions, in working conditions or termination, subject to collective bargaining rules on wage-related benefits. Workers cannot be dismissed or treated differently because of union activity conducted outside working hours or, with the employer’s permission, during working hours. Violations may lead to trade-union compensation of at least one year’s wages. (Çalışma ve Sosyal Güvenlik Bakanlığı)
This has a direct effect on workplace policy drafting. An employer may regulate communication channels, use of premises, access cards, IT systems, and meeting logistics, but cannot use internal rules to suppress lawful union participation or to create a de facto penalty for union activity. A policy that looks neutral but in reality discourages protected collective activity can trigger serious liability. (Çalışma ve Sosyal Güvenlik Bakanlığı)
The protection is even stronger for workplace union representatives. Under Article 24 of Law No. 6356, the employer may not terminate the contract of a workplace union representative without just cause and without clearly and precisely stating the reason in writing. The same provision also states that the employer may not change the workplace or make a substantial change in the representative’s job without the representative’s written consent. So internal regulations that purport to give management unrestricted authority to transfer or substantially alter a union representative’s work are not legally safe. (Çalışma ve Sosyal Güvenlik Bakanlığı)
Data protection and internal privacy rules
Many modern workplace policies govern email, internet use, cameras, access badges, laptops, mobile devices, remote access, whistleblowing channels, and document retention. In Turkey, these topics are not governed only by employment law. They are also subject to the Personal Data Protection Law. Article 10 requires the data controller, at the time personal data are obtained, to inform data subjects about the identity of the controller, the purpose of processing, possible recipients and transfer purposes, the legal basis and method of collection, and the rights of the data subject. The Communiqué on the Obligation to Inform further states that the duty to inform applies whether processing is based on explicit consent or another lawful processing condition, that it does not depend on a request by the data subject, and that if the processing purpose changes, the duty must be fulfilled again for the new purpose before processing begins. (KVKK)
The law also requires the controller to take necessary technical and organizational measures to prevent unlawful processing, prevent unlawful access, and ensure data security. KVKK’s official guidance summarizes Article 12 in exactly these terms. In addition, the Registry By-Law and official KVKK guidance tie data-governance duties to retention periods and inventory logic. That means a workplace policy on monitoring, device use, CCTV, email review, access logs, or HR investigations should not exist in isolation. It should be aligned with privacy notices, legal bases for processing, access controls, retention periods, and data-security measures. (KVKK)
The strongest example appears in remote work. Article 11 of the Remote Work Regulation requires the employer to inform the remote worker about the business rules and relevant legislation on the protection and sharing of workplace and work-related data, to take the necessary measures for protecting those data, and to define in the contract the scope of the data that must be protected. The same article also makes compliance with employer-defined data-protection business rules mandatory for the remote worker. This means employers should not rely on a vague clause saying “the employee shall respect confidentiality.” A lawful remote work regime needs a more detailed data-governance framework.
Occupational health and safety policies are mandatory compliance tools
Occupational health and safety policies are not optional best practice in Turkey. Article 4 of Law No. 6331 states that the employer has a duty to ensure the safety and health of workers in every aspect related to the work and must take measures necessary for occupational risk prevention, information, training, organization, and implementation. Article 10 requires the employer to carry out or procure a risk assessment, taking account of matters such as workplace organization, work equipment, and workers who may need specific policies, including young, older, disabled, pregnant, and breastfeeding workers.
Internal rules on incident reporting, unsafe behavior, emergency procedure, PPE use, ergonomics, equipment safety, contractor access, and escalation lines therefore should not be treated as merely operational suggestions. They are part of the employer’s legal compliance structure. Article 16 further requires the employer to inform workers and workers’ representatives about workplace risks, preventive measures, legal rights and responsibilities, and emergency-response personnel. Article 17 requires adequate health and safety training on recruitment, transfer, change of job, new equipment, and new technology.
In practice, this means a health and safety policy should be readable, role-specific, and actually used. The law is not satisfied by placing a generic PDF on the intranet and never revisiting it. Training, acknowledgment, refreshers, and incident-specific updates matter. An employer that has a formal OHS manual but cannot show risk assessment, worker information, or role-appropriate training is not in a strong compliance position.
Personnel files, confidentiality, and documentation discipline
Article 75 of the Labour Law requires the employer to keep a personnel file for every employee, to retain the documents and records it must prepare under labour law and other laws, and to show them to authorized persons and authorities when requested. It also imposes a confidentiality duty: the employer must use information about the employee in accordance with honesty and law and must not disclose information that the employee has a justified interest in keeping secret.
This provision has two consequences for workplace policies. First, policies should tell employees what documents and acknowledgments the employer requires, and HR should maintain version control so that the file reflects what policy version applied at what time. Second, internal rules should limit who can access investigation materials, disciplinary findings, medical documents, and other sensitive HR records. A policy framework that demands constant employee transparency while giving the employer no disciplined recordkeeping rules is legally incomplete.
Discipline policies: useful, but not absolute
Employers in Turkey can and should adopt disciplinary procedures. Clear rules on misconduct, reporting, investigation steps, conflict of interest, harassment, IT misuse, attendance manipulation, and confidentiality breaches are often essential for orderly management. But disciplinary rules must be drafted with caution. They cannot convert every internal breach into an automatic dismissal, because the Labour Law still governs just-cause and valid-reason termination. Articles 24 and 25 set out the framework for immediate termination by employee and employer on just cause, and internal regulations do not expand those statutory categories simply by declaring that any policy violation is “cause for instant dismissal.”
The better approach is to draft discipline rules in proportionate levels. Minor misconduct, repeated noncompliance, serious misconduct, and conduct creating immediate legal risk should be distinguished. Policies should also explain investigation steps, opportunity to respond where appropriate, documentation requirements, and who makes the final decision. This is both fairer and more defensible. When an employer uses a handbook as though it were a shortcut around statutory termination analysis, the policy often becomes evidence against the employer rather than in its favor.
Best practices for lawful workplace policies in Turkey
The most effective workplace policies are not the longest. They are the clearest, the most legally aligned, and the easiest to apply consistently. As a first step, employers should separate policies into categories: operational rules, compliance policies, and working-condition documents. Operational rules cover workflow and internal coordination. Compliance policies cover areas like anti-discrimination, anti-harassment, data protection, whistleblowing, OHS, and remote work security. Working-condition documents are the most sensitive because they may trigger Article 22 if they substantially alter the employment relationship.
Second, every policy should have a clear legal owner and a version history. HR may own the employee handbook, but IT may own cybersecurity rules, legal may own privacy language, and the OHS function may own safety rules. The file should show when the rule entered into force, who approved it, who received it, and whether employee acknowledgment was obtained. This matters because the personnel file obligation under Article 75 and the leave-record obligation under the annual leave regulation both assume documentary discipline rather than informal practice.
Third, employers should match dissemination to legal effect. A policy that simply explains how to book annual leave may be published and acknowledged. A policy that materially changes work location, working time, or another essential term should go through a more formal written notice and acceptance mechanism. In remote work, the regulation itself requires a written contract and identifies the topics that must be covered in that written arrangement.
Fourth, policies should be drafted for real managers, not only for future litigation. A beautifully written anti-harassment or privacy policy is of limited value if managers do not know how to receive complaints, preserve confidentiality, avoid retaliation, and escalate matters correctly. The same is true for safety rules. Article 17 of the OHS Law makes training a legal requirement, and training is most useful when it explains how the written policy actually works in daily life.
Fifth, employers should review policies against collective rights before rollout. Internal rules should not interfere with union freedom, should not discriminate against union members, and should not override the special protections applicable to workplace union representatives. Where a workplace is unionized or close to collective activity, this review becomes especially important. (Çalışma ve Sosyal Güvenlik Bakanlığı)
Finally, employers should audit policies periodically against actual practice. Turkish labour risk often arises not from a bad document alone but from the gap between the document and daily operations. If a policy says employees receive wage slips, leave records are maintained, OHS training is repeated, and remote-work data rules are enforced, the employer should be able to prove all of that in practice. A policy that exists only on paper may increase, rather than reduce, legal exposure.
Conclusion
In Turkey, workplace policies and internal regulations are legally significant because they can shape working conditions, create evidence of employer intent, support compliance, or generate liability if drafted carelessly. The governing principle is not that employers are forbidden from issuing internal rules. It is that internal rules must stay within statutory limits. They cannot override mandatory rights on working time, wages, annual leave, equality, data protection, occupational safety, union freedom, or contractual stability. Where a policy substantially changes working conditions, Article 22 requires written notice and written acceptance. Where the policy touches privacy, OHS, remote work, or union rights, sector-specific and statute-specific obligations also apply.
The best legal strategy is therefore preventive. Employers should draft shorter and clearer policies, classify them by legal effect, circulate them properly, obtain acknowledgments where appropriate, train managers, align practice with text, and review updates through HR and legal together. When done correctly, internal regulations do not merely reduce confusion. They become part of a sustainable compliance structure that protects both business order and legal defensibility.
Yanıt yok