A detailed legal guide to background checks in recruitment in Turkey, covering candidate data, criminal records, health reports, reference checks, discrimination risk, data retention, cross-border transfers, and HR compliance.
Background checks are often presented as a sensible hiring tool. Employers want to confirm identity, verify qualifications, test whether a candidate is suitable for the role, and reduce the risk of fraud, misconduct, or later hiring disputes. In Turkey, however, background checks are not simply an HR convenience. They are regulated through labour law, personal data protection law, occupational health and safety rules, and, for foreign candidates, work-permit law. That means a background check can easily become unlawful if the employer asks for too much information, uses the wrong legal basis, keeps the data too long, shares it too broadly, or uses it in a discriminatory way. For that reason, background checks in recruitment should be treated as a structured legal process, not just a recruitment habit. (Natlex)
The core Turkish legal framework is relatively clear. Labour Act No. 4857 prohibits discrimination in the employment relationship, including at the stage of concluding the employment contract. KVKK requires that candidate data be processed lawfully and fairly, for specified and legitimate purposes, in a relevant, limited, and proportionate way, and only for as long as necessary. The same law also requires a lawful processing ground, a proper information notice, and special care for special category data such as health information and criminal-conviction data. In hazardous or very hazardous jobs, health surveillance before assignment may be legally required. And if the candidate is a foreign national within the scope of Law No. 6735, a work permit or exemption must generally be obtained before work starts. (Natlex)
A lawful recruitment check therefore begins with a narrower question than many employers ask. The real question is not “What can we find out about this person?” It is “What information is genuinely necessary for this role, at this stage, for this lawful purpose?” Turkish law pushes employers toward necessity and proportionality. When background checks drift beyond that line, the risk is not only a privacy complaint. It can also become a discrimination claim, a data-retention violation, a cross-border transfer problem, or a later employment dispute about how the employer used sensitive information. (KVKK)
Why background checks are a legal issue from the first contact
One of the most important legal anchors is Article 5 of Labour Act No. 4857. It prohibits discrimination in the employment relationship on grounds such as language, race, sex, political opinion, philosophical belief, religion, and similar reasons, and it expressly prohibits direct or indirect discrimination because of sex or maternity in the conclusion, conditions, execution, and termination of the employment contract unless there is an objective justification linked to biology or the nature of the work. In recruitment terms, that means the employer cannot use background checks as a covert way to screen out protected categories or to collect personal information unrelated to the actual job. (Natlex)
KVKK then adds the data-governance layer. Article 4 requires lawfulness, fairness, accuracy where necessary, specified and legitimate purpose, relevance, proportionality, and storage limitation. Article 5 says personal data may not be processed without explicit consent unless a listed legal ground exists, such as contractual necessity, legal obligation, rights protection, or legitimate interest that does not override the candidate’s fundamental rights and freedoms. Article 10 requires the candidate to be informed when the data are collected, and Article 11 gives the candidate rights including access, correction, erasure in the right circumstances, and information about recipients. This means a lawful background check requires both substantive justification and procedural transparency. (KVKK)
That structure also explains why generic consent forms are often a weak solution. In many recruitment situations, the real legal basis is not open-ended consent but a more specific ground such as pre-contractual necessity, legal obligation, or rights protection. Turkish law does not reward employers for gathering broad “permission” language if the actual data processing is still excessive or unclear. A better compliance approach is to identify the real legal basis for each check and then inform the candidate properly. This is an inference from Articles 4, 5, and 10 taken together. (KVKK)
What employers can usually verify more safely
Some recruitment checks are easier to justify than others. Identity verification, confirmation of educational qualifications, role-specific licences, and work-history details that are directly relevant to the position will usually sit more comfortably within the Article 4 principles of relevance and proportionality and the Article 5 grounds for pre-contractual processing. That does not make them unrestricted. It means they are easier to connect to the establishment of the employment relationship than deeply personal or unrelated background inquiries. (KVKK)
Reference checks can also be lawful, but they should be narrow and role-related. The safer legal logic is to verify professional matters that bear directly on the role rather than to conduct open-ended character investigations. Because KVKK requires a specified purpose and proportionate processing, employers should avoid collecting personal opinions, family details, or lifestyle information under the label of “reference.” Where references are sought, the candidate should also be informed that such contact may occur and for what purpose. This follows from the combined logic of Articles 4, 5, and 10. (KVKK)
Role-specific licences are another good example of lawful narrowness. A driver’s licence may be relevant if the role actually requires driving. Professional certificates may be relevant if the role requires a regulated qualification. But once the document has no real connection to the job, the legal basis weakens. Turkish law does not support a “collect everything now because it might matter later” approach. The Board’s recruitment decisions make that point very clearly. (KVKK)
Criminal record checks: high risk unless genuinely necessary
Criminal convictions and security measures are expressly listed in Article 6 of KVKK as special category personal data. That means criminal-record checks are not ordinary background checks. They sit in a more protected legal category and require a stronger legal basis and stricter handling. Employers should therefore not request criminal records routinely for every position simply because it feels safer. The lawful question is whether the role genuinely requires such a check and whether the employer has a proper legal basis for processing it. (KVKK)
The Board’s 2022/172 decision is especially instructive. In that case, the Turkish liaison office of a foreign-based controller requested a criminal record, health report, lung film report, blood group certificate, driver’s licence copy, marriage certificate copy, and family members’ identity cards from a candidate after acceptance to work. The published summary criticizes the breadth of the data collection and expressly notes that requesting family members’ identity-card information contradicted Article 4’s general principles. This decision does not say criminal-record checks are always unlawful. It shows that, in recruitment, special category data and other sensitive documents are closely scrutinized and cannot be requested in a broad, routine, or poorly justified way. (KVKK)
For employers, the practical lesson is to treat criminal records as an exception, not a default step. If the role involves a legal, security-sensitive, fiduciary, or statutory reason to verify this information, the employer should define that reason narrowly and limit access to the result. If the role does not create such a need, collecting a criminal record merely to “have a complete file” is difficult to reconcile with Article 4 proportionality. (KVKK)
Health reports: not every job justifies them
Health data are also special category personal data under Article 6 of KVKK, which means they are subject to stricter rules. Employers should therefore be very cautious about requesting general health reports in recruitment. The law does not support routine medical collection for every office or low-risk role. Health information is one of the clearest areas where overcollection creates both privacy risk and discrimination risk. (KVKK)
At the same time, Turkish law does recognize situations where health surveillance before assignment is required. Article 15 of Occupational Health and Safety Law No. 6331 requires the employer to ensure health surveillance appropriate to workplace risks and specifically requires health examination before assignment. It also states that workers to be employed in hazardous and very hazardous jobs must receive a medical report before employment. This means health-related checks can be lawful and necessary in risk-based contexts, but the legal basis comes from occupational safety obligations, not from a general employer preference to know as much as possible about a candidate’s health. (Çalışma ve Sosyal Güvenlik Bakanlığı)
The legal implication is narrow but important. A pre-employment health report may be justified where the role or hazard class legally requires it. Outside those situations, employers should avoid requesting broad medical files or diagnosis-level details. Even where a report is required, health data must still be handled confidentially. Article 15 of Law No. 6331 states that health data from medical examinations must be kept confidential to protect individual privacy and prestige. (Çalışma ve Sosyal Güvenlik Bakanlığı)
Excessive document requests are a real enforcement risk
The Board’s published decisions show that recruitment overreach is not hypothetical. In Decision 2022/172, the Authority reviewed a file where the employer-side entity requested a wide range of sensitive and personal documents after the candidate was accepted. The summary shows particular concern about both special category data and the request for family members’ identity information, which the Board linked to Article 4’s general principles. This is a strong official signal that “standard onboarding packs” can be unlawful if they are built around administrative convenience rather than necessity. (KVKK)
This should change how employers think about checklists. A lawful recruitment checklist should be role-based and stage-based. It should ask what is needed before offer, what is needed after conditional offer, what is needed only for regulated or hazardous roles, and what should not be collected at all. One universal document pack for every candidate creates exactly the kind of overcollection risk that the Board has already criticized. (KVKK)
Sharing candidate data is often where employers slip
Candidate data are not free to circulate just because they were collected for recruitment. One early KVKK decision on job applications found unlawful sharing where a data controller operating an online HR platform disclosed an applicant’s application information, name and surname, and email address to other job applicants without any legal basis. The decision is important because it shows how quickly recruitment data can become unlawful when internal or external sharing is not tightly controlled. (KVKK)
This principle applies more broadly. Candidate data should be shared internally only on a need-to-know basis and externally only where a lawful ground and proper transparency exist. A manager in another department, a group company in another country, a foreign headquarters, or a third-party recruiter does not automatically have the right to see everything in the recruitment file. Article 8 of KVKK regulates domestic transfers, and Article 9 governs transfers abroad. Since Article 9 was amended in 2024, cross-border transfer now depends on a lawful Article 5 or 6 condition plus an adequacy decision or one of the recognized safeguard routes, or, in limited incidental cases, one of the listed exceptional grounds. (KVKK)
The 2022/172 recruitment decision also shows why foreign-headquartered recruitment structures need special care. In that case, the file involved a foreign-based controller and a Turkish liaison office, and the Board examined both the document requests and the data-flow implications. Today, the cross-border transfer analysis must be made under the amended Article 9 framework, not under outdated assumptions. For employers, that means any recruitment platform or hiring workflow that routes Turkish candidate data abroad should be reviewed explicitly under current transfer rules. (KVKK)
Rejected candidates’ data cannot be kept forever
Retention is another recurring legal risk. Article 7 of KVKK requires personal data to be erased, destroyed, or anonymized when the reasons for processing no longer exist, subject to other legal rules. The Board has published a decision involving a bank that retained some candidate data after rejecting a job application. The case shows that rejected-candidate retention is legally sensitive and that the candidate can challenge continued storage. The published summary indicates that the bank relied on Article 5 grounds such as pre-contractual necessity, rights protection, and legitimate interest for some recruitment-stage processing, but the case still turned on what could continue to be kept after the purpose had changed and after the candidate objected. (KVKK)
The practical lesson is that employers should not keep unsuccessful applicants’ full files indefinitely on the theory that they might become useful one day. A retention policy for candidate data should distinguish between current recruitment evaluation, short-term talent-pool retention where lawfully justified and properly disclosed, and deletion when the purpose no longer exists or the candidate objects successfully. A “forever database” of rejected applicants is difficult to reconcile with Article 4 storage limitation and Article 7 disposal rules. (KVKK)
Foreign candidates add immigration-law risk
Where the candidate is a foreign national, background checks in recruitment cannot be separated from work authorization. The Ministry of Labour and Social Security states in its official FAQ that foreigners within the scope of Law No. 6735 must obtain a work permit or work permit exemption before starting work in Türkiye and that those working without a valid permit or exemption are subject to criminal and administrative action. This means a foreign candidate’s legal ability to work is not a minor onboarding detail. It is a threshold compliance issue. (Çalışma ve Sosyal Güvenlik Bakanlığı)
The Ministry’s guidance also explains that work-permit validity is tied to a specific job and employer structure, and that foreign workers must start work by fulfilling social-security obligations within the relevant legal period after permit issuance or entry into Türkiye, depending on the application type. For HR teams, that means recruitment checks for foreign candidates should focus less on intrusive personal background review and more on lawful work-authorization planning. (Çalışma ve Sosyal Güvenlik Bakanlığı)
Discrimination risk is built into bad background-check design
One of the easiest ways for a background check to become unlawful is to drift into protected characteristics. Labour Act No. 4857 already prohibits discrimination on grounds such as sex and similar reasons in the making of the employment contract. A background-check process that collects pregnancy-related information, family-care assumptions, religion, political leanings, or comparable personal attributes outside a lawful and necessary context creates immediate risk. Even where the employer never says the information was used, unnecessary collection of protected-category-adjacent information is hard to defend once an adverse hiring outcome follows. (Natlex)
This is another reason role-based design matters. A lawful background check should verify qualifications, permissions, and role-relevant risks. It should not become a broad investigation into lifestyle, family, belief, or health status. In Turkish law, the farther the check moves from job necessity and the closer it moves to protected personal characteristics, the more likely the employer is to face both privacy and discrimination problems. (Natlex)
What employers should do in practice
A defensible recruitment-screening process in Turkey usually begins with a written matrix. For each role, the employer should define which checks are genuinely necessary, at what stage they will be performed, on which legal basis they rest, who may see the results, whether the data may be transferred, and how long they will be kept. This turns background checking from an informal HR habit into a controlled legal process. That structure is strongly supported by Article 4 proportionality, Article 5 lawful-basis requirements, and Article 10 information duties under KVKK. (KVKK)
The second step is staged collection. Basic identity and qualification checks may be justified early. Sensitive checks such as criminal records, health reports, or role-specific compliance documents should be requested only where the role truly requires them and only at the stage when they become necessary. The Board’s decisions show that front-loading all possible documents into the application process is risky. (KVKK)
The third step is access control and retention. Recruitment data should not be shared casually with other applicants, unrelated managers, or group entities. Rejected-candidate files should be kept only on a clear legal basis and for a defined period, with deletion or destruction when the purpose no longer exists. Foreign-platform or headquarters access should be reviewed under current Article 9 transfer rules. (KVKK)
The fourth step is manager training. Many recruitment-law failures do not come from legal teams. They come from managers who ask for “a full background package,” request family documents, want to know whether the candidate has any health issue, or forward candidate files far beyond the hiring team. A compliant policy is useful only if the people implementing recruitment understand why Turkish law requires restraint. (KVKK)
Conclusion
In Turkey, background checks in recruitment are lawful only when they are genuinely necessary, role-specific, transparent, and proportionate. Labour law prohibits discriminatory use of personal information at the hiring stage. KVKK requires a real legal basis, proper candidate notice, strict treatment of special category data such as criminal-record and health data, controlled transfers, and limited retention. The Board’s published decisions show active scrutiny of excessive document requests, unlawful sharing of applicant data, and retention problems after rejection. Occupational safety law allows pre-assignment health surveillance where the role legally requires it, and immigration law requires foreign candidates to have a work permit or exemption before starting work. (Natlex)
The safest approach for employers is not to avoid background checks entirely. It is to narrow them. Ask only what the job actually requires. Collect it only when needed. Tell the candidate clearly what you are doing and why. Keep it only as long as justified. Share it only with the people who truly need it. When employers follow those rules, background checks become a lawful recruitment safeguard. When they do not, the background check itself becomes the employer’s legal problem. (KVKK)
Yanıt yok