A detailed legal guide to reference checks and candidate screening in Turkey, covering candidate data collection, criminal records, health reports, reference verification, discrimination risks, retention, cross-border transfers, and HR compliance.
Reference checks and candidate screening are often treated as ordinary recruitment tools, but in Turkey they are legal risk areas from the very beginning of the hiring process. Employers may want to verify identity, education, work history, licences, reputation, integrity, and role suitability. Yet Turkish law does not allow employers to turn recruitment into an unlimited information-gathering exercise. The legal framework is built mainly on Labour Act No. 4857, the Personal Data Protection Law No. 6698, Occupational Health and Safety Law No. 6331, the Human Rights and Equality Institution Law No. 6701, and, for foreign candidates, the work-permit regime under Law No. 6735. Taken together, these rules mean that a lawful background check in Türkiye depends on necessity, proportionality, transparency, proper legal basis, and careful handling of sensitive data. (Natlex)
The most important legal question is not “What can we find out about the candidate?” but “What information is genuinely necessary for this role, at this stage, for this lawful purpose?” KVKK requires personal data to be processed lawfully and fairly, for specified, explicit, and legitimate purposes, in a way that is relevant, limited, and proportionate, and only for as long as needed. Labour law adds another layer by prohibiting discrimination in the employment relationship and specifically banning direct or indirect discrimination due to sex or maternity in the conclusion, conditions, execution, and termination of the employment contract unless objectively justified. So a recruitment-screening process can become unlawful either because it collects too much data or because it collects the wrong kind of data for a discriminatory purpose. (KVKK)
A useful starting point for HR managers is that Turkish law does not ban reference checks as such. What it does is regulate the way candidate data are collected, processed, shared, and retained. As an inference from KVKK’s Articles 4, 5, and 10, a reference check is most defensible when it is narrowly tied to the position, limited to work-related verification, and disclosed to the candidate in an intelligible privacy notice. That is very different from conducting a broad personal investigation into the candidate’s private life, family, beliefs, health, or unrelated history. In practice, role-relevant questions about past duties, qualifications, or professional performance are easier to justify than open-ended questions about the candidate’s character, lifestyle, or personal background. (KVKK)
This is also where discrimination law becomes important. Labour Act No. 4857 prohibits discrimination based on language, race, sex, political opinion, philosophical belief, religion, and similar grounds in the employment relationship, and it separately prohibits direct or indirect discrimination due to sex or maternity in making or implementing the contract. Law No. 6701 goes further and states that an employer or a person authorized by the employer may not discriminate against an employee or a job applicant at any stage of work, including application, selection, hiring, working conditions, promotion, and termination, and it expressly says an employer may not reject an employment application because of pregnancy, maternity, or child care. This means a background-check process cannot lawfully be used to uncover protected information and then quietly screen candidates out. (Natlex)
Ordinary candidate verification such as confirming identity, academic qualifications, professional licences, and role-specific employment history is usually easier to justify because it can often be linked directly to pre-contractual necessity or legitimate hiring needs. Article 5 of KVKK allows personal-data processing without explicit consent where it is directly related to the establishment or performance of a contract, necessary for compliance with a legal obligation, necessary for the establishment, exercise, or protection of a right, or necessary for the controller’s legitimate interests provided the candidate’s fundamental rights and freedoms are not overridden. In recruitment, that means employers often do not need to rely mechanically on broad consent language for every check; instead, they should identify the real legal basis for each specific screening step. (KVKK)
Reference checks should therefore be designed as a narrow verification process rather than a broad reputational trawl. Turkish statutes do not contain a dedicated article saying “this is how references must be taken,” so the safest legal reading is derived from KVKK’s necessity and proportionality principles. A prudent employer should limit reference inquiries to facts that genuinely matter to the role, such as prior position, scope of duties, job-related conduct, and qualification-related issues. The candidate should also be informed that such checks may take place and for what purpose, because Article 10 requires the data subject to be informed, at the time personal data are obtained, about the identity of the data controller, the purpose of processing, the transfer recipients, the method and legal basis of collection, and the data subject’s rights. (KVKK)
Employers should be especially careful with criminal-record checks. KVKK classifies criminal convictions and security measures as special categories of personal data, alongside health data, trade-union membership, biometric data, and other sensitive categories. Article 6 says that processing such data is prohibited unless one of the statutory conditions exists, including explicit legal permission, explicit consent, necessity for the establishment, exercise, or protection of a right, or necessity for legal obligations in employment, occupational health and safety, social security, social services, and social assistance. This means a criminal-record request is not an ordinary recruitment step. It must be role-justified, legally grounded, and handled with heightened care. (KVKK)
The Personal Data Protection Board’s 2022/172 decision is highly instructive here. In that case, a foreign-based data controller’s Turkish liaison office requested several documents during recruitment, including a criminal record, health report, lung film report, blood group certificate, driver’s licence copy, marriage certificate copy, and family members’ identity-card information. The Board’s published summary states that requesting family members’ identity-card information conflicted with KVKK’s general principles, notes failures relating to processing of special category data, and also flags the possibility of cross-border transfer because the controller was based abroad. The lesson is not that every criminal-record or health-related request is always unlawful. The lesson is that Turkish regulators scrutinize recruitment-stage overcollection closely, especially where special category data or family-member data are involved. (KVKK)
Health reports require even greater caution. Health data are special category personal data under Article 6 of KVKK, and employers should not request general medical reports for every position simply because they would prefer a “complete file.” Turkish law does, however, recognize situations where pre-assignment medical examination is legally required. Article 15 of Occupational Health and Safety Law No. 6331 requires health surveillance appropriate to workplace risks and states that health examination is required before assignment, after job change, on return to work in certain situations, and at regular intervals depending on the work and hazard class. It also states that workers in hazardous and very hazardous jobs must receive a medical report before employment. So the legal question is not whether employers may ever request health information; it is whether the role actually creates a lawful need for it.
This distinction matters because a role-based medical screening obligation is very different from a routine health-file collection policy. For a high-risk role, a pre-assignment health report may be justified or required under OHS law. For a low-risk office role, asking for broad medical information may be very difficult to reconcile with KVKK’s relevance and proportionality principles. Even where a health report is lawfully required, the report must still be handled confidentially, and the employer should limit access to what is necessary for fitness-for-work assessment rather than circulating diagnosis-level information internally.
Candidate data-sharing is another area where employers commonly make mistakes. The Board has already sanctioned unlawful sharing in a recruitment setting. In the published job-application sharing decision, the Authority found that an online HR platform had shared an applicant’s application information, name and surname, and email address with other job applicants without a legal basis, and it imposed an administrative fine. The same published summary also states that data transfers between separate data controllers within the same group of companies are still treated as transfers to third parties for KVKK purposes, and that sharing candidate data between group companies without the applicant’s explicit consent violated the قانون’s security and transfer rules in the facts before the Board. This is extremely important for employers using shared databases across a corporate group. (KVKK)
In practice, that means candidate information does not become freely shareable simply because the companies belong to the same corporate family. If a candidate applies to one company, that does not automatically authorize group-wide use of the application file. Domestic sharing must comply with Article 8 on transfers, and international sharing must comply with Article 9. Since Article 9 was amended in 2024, foreign transfer now requires a lawful Article 5 or 6 condition plus either an adequacy decision or an appropriate safeguard route, with enforceable rights and effective legal remedies for the data subject in the receiving country. Employers using multinational applicant-tracking systems, global HR platforms, or headquarters-level screening tools should therefore treat candidate-data transfers as a real legal step rather than a technical detail. (KVKK)
Candidate-data retention is just as important as candidate-data collection. KVKK’s Article 7 requires personal data to be erased, destroyed, or anonymized, ex officio or on the request of the data subject, once the reasons for processing no longer exist. The Regulation on Erasure, Destruction or Anonymization of Personal Data adds that disposal operations must be recorded and those records must generally be kept for at least three years. In recruitment terms, this means rejected-candidate files cannot simply remain in company systems forever because they “might be useful later.” The employer needs a real retention logic tied to the purpose of processing. If the candidate is not hired and there is no continuing lawful basis to keep the data, the file should be erased, destroyed, or anonymized under the statutory framework. (KVKK)
This retention rule should also influence talent-pool design. Some employers want to keep unsuccessful applicants in a future-candidates database. Turkish law does not necessarily make that impossible, but it does require a lawful basis, a clear purpose, a proper information notice, and compliance with storage-limitation principles. A vague practice of indefinite retention is not enough. The more sensitive the screening data are, the harder indefinite storage becomes to defend. (KVKK)
Foreign-candidate screening introduces an additional legal layer. The Ministry of Labour and Social Security states in its official FAQ that foreigners within the scope of Law No. 6735 must obtain a work permit or a work-permit exemption before starting work in Türkiye, and that foreigners who work without a valid permit or exemption are subject to criminal and administrative action. The Ministry’s step-by-step work-permit guide also explains that the employer must submit the statement of starting employment to the Social Security Center within 30 days of the foreigner’s entry into the country or within 30 days of work-permit approval, depending on the application path, and lists core documents such as the employment contract, biometric photo, passport, and diploma. For HR, this means immigration-law compliance is often more important than intrusive personal screening when hiring foreign nationals. (Çalışma ve Sosyal Güvenlik Bakanlığı)
That does not mean employers should ignore background checks for foreign candidates. It means the employer should focus on lawful work-authorization verification, document authenticity, and role suitability rather than drifting into disproportionate personal-data collection. The same proportionality logic applies: collect what the role and the law require, not what administrative caution alone would prefer. (Çalışma ve Sosyal Güvenlik Bakanlığı)
The labour-law confidentiality framework also remains relevant after hiring. Article 75 of Labour Act No. 4857 requires the employer to keep a personnel file for each employee and to retain documents required by law, but it also requires the employer to use information about the employee lawfully and in line with honesty and not disclose information the employee has a justified interest in keeping secret. This becomes important at the border between recruitment and onboarding. Once a candidate is hired, some recruitment-screening records may legitimately move into the personnel file, but that does not remove confidentiality duties. Hiring someone is not a legal basis for unlimited internal circulation of their background-check information. (Natlex)
For HR teams, the safest operational approach is to build recruitment screening around four questions. First, what exactly is being checked and why is that check necessary for this role. Second, what legal basis supports the processing. Third, who will see the information and will it be transferred to another group company or abroad. Fourth, how long will the information be kept if the candidate is rejected or hired. If those four questions cannot be answered clearly, the background-check process is usually too broad. That conclusion follows directly from KVKK’s structure, the Board’s published decisions, and the anti-discrimination framework of labour law. (KVKK)
A strong employer should also separate recruitment stages. It is rarely necessary to collect all screening data at the first application stage. Basic identity and qualification checks may come first. More sensitive checks, if genuinely necessary, can be reserved for the post-offer or conditional-offer stage. Role-specific health reports can be requested only where OHS law truly requires them. Work-permit steps can be handled only for foreign candidates actually moving toward employment. This staged model is usually much easier to defend than a universal “send us everything now” recruitment pack.
Another practical safeguard is manager training. Many legal failures in recruitment do not begin with lawyers or HR directors. They begin with line managers who ask for “a full background package,” demand family details, want to know whether the candidate has any health issue, or forward candidate files broadly inside the group. Turkish law does not prevent careful screening. It prevents uncontrolled screening. A written policy is therefore useful only if managers, recruiters, and external vendors understand the limits that follow from KVKK, labour law, and OHS rules. (KVKK)
In conclusion, reference checks and candidate screening in employment law in Turkey are lawful only when they are narrow, role-based, transparent, and proportionate. Labour Act No. 4857 and Law No. 6701 prohibit discriminatory use of candidate information, including pregnancy-related screening at the application stage. KVKK requires a real legal basis, proper candidate notice, careful handling of special category data such as criminal-record and health information, secure and lawful data sharing, and disposal once the processing purpose ends. The Board’s published decisions show active scrutiny of excessive document requests and unlawful sharing of applicant data, including sharing within a group of companies. OHS law justifies pre-assignment health examinations where the role actually requires them, and foreign-worker law requires work authorization before employment begins. Employers that keep candidate screening tightly connected to the job usually stay on safer legal ground. Employers that collect too much, too early, and share it too widely often turn the screening process itself into the legal problem. (KVKK)
Yanıt yok