Learn the main HR data protection rules in Turkey under KVKK, including lawful bases, employee notices, special-category data, retention, employee monitoring, overseas transfers, VERBIS, and sanctions.
Introduction
Employee data protection in Turkey is governed mainly by Law No. 6698 on the Protection of Personal Data (KVKK), supported by Board decisions, KVKK guidance, the Data Controllers’ Registry rules, the erasure/destruction regime, and the 2024-amended cross-border transfer framework. For HR teams, this means compliance is not limited to collecting a signed privacy form. It covers the full employee data lifecycle: recruitment, onboarding, payroll, performance management, workplace monitoring, disciplinary processes, occupational health and safety, employment termination, retention, deletion, and, where applicable, transfers abroad.
The practical compliance challenge in Turkey is that many employers rely too heavily on explicit consent. KVKK’s own guidance states that where a processing activity can already be based on one of the lawful processing conditions other than consent, obtaining additional explicit consent is not appropriate and may even be misleading or abusive. The same guidance gives HR-specific examples and notes that payroll-related processing may rest on contract performance and legal-obligation grounds rather than consent.
This matters especially in employment because the HR context includes structural imbalance. A compliant Turkish HR privacy model usually depends less on blanket consent forms and more on choosing the correct lawful basis under Articles 5 and 6, giving a proper Article 10 notice, implementing Article 12 security measures, responding to Article 11 requests, deleting data when retention grounds end under Article 7, and handling overseas transfers under the amended Article 9.
1. The legal framework of HR data protection in Turkey
The purpose of Law No. 6698 is to protect fundamental rights and freedoms, especially privacy, in the processing of personal data and to regulate the obligations of persons who process such data. The law applies to personal data processed wholly or partly by automated means and also to non-automated processing where the data form part of a filing system. In HR practice, that covers virtually every structured personnel process, from spreadsheets and payroll systems to personnel files and access logs.
Under the law, the data controller is the natural or legal person who determines the purposes and means of processing and is responsible for establishing and managing the data filing system. In an ordinary employment setting, that will usually be the employer entity, not the HR software provider. Payroll vendors, cloud providers, and outsourced processors may be data processors, but the employer remains the primary compliance holder for most HR processing decisions.
That distinction is not theoretical. Article 12(2) states that where personal data are processed by another person on behalf of the data controller, the controller remains jointly responsible for taking the required security measures. For HR compliance, this means outsourcing does not eliminate accountability for payroll processors, benefits administrators, cloud HR platforms, or document-archiving vendors.
2. The six core principles every HR process must satisfy
Article 4 sets out the general principles of lawful processing. Personal data must be processed lawfully and fairly, kept accurate and up to date where necessary, processed for specified, explicit, and legitimate purposes, limited and proportionate to those purposes, and stored only for the period required by law or by the purpose of processing. These principles apply to every HR activity, even where a lawful basis under Article 5 or 6 exists.
For employers, the most practical principles are purpose limitation, data minimization, and storage limitation. A company may have a lawful basis to process employee data, yet still violate KVKK if it collects more data than necessary, uses the data for a new incompatible purpose, or keeps the data longer than required. KVKK’s guidance on erasure and destruction expressly states that once the grounds requiring processing no longer exist, the controller must erase, destroy, or anonymize the data.
This is why HR compliance should be built process by process rather than form by form. Employers should ask, for each HR workflow: what data are truly needed, for what exact purpose, on what legal basis, who receives the data, how long are they retained, and what happens when the retention ground ends. KVKK’s inventory and registry logic strongly supports that structured approach.
3. Lawful bases in employee data processing: consent is not the default
Article 5 states the general rule that personal data cannot be processed without explicit consent, but it also lists the alternative lawful bases that allow processing without consent. In HR practice, the most important are: processing expressly provided by law; processing necessary for the establishment or performance of a contract; processing necessary for compliance with the controller’s legal obligations; processing necessary for the establishment, exercise, or protection of a right; and processing necessary for the controller’s legitimate interests, provided fundamental rights and freedoms are not harmed.
KVKK’s own guidance on lawful bases states that if a processing activity can rely on a lawful basis other than explicit consent, the controller should not additionally seek consent for the same activity. The same guide explains that doing so can mislead the data subject, because if consent is later withdrawn the person may wrongly assume the processing must stop even though another lawful basis still exists. The guide even uses an HR example, explaining that data processing for payroll preparation may rest on contract performance and legal obligation grounds.
Board practice in the employment context supports the same approach. In Decision 2021/1218, the Board summary reflects the position that processing an employee’s ordinary personal data during the employment relationship can fall within Article 5/2(c), because it is directly related to the establishment or performance of the employment contract, and may also rest on Articles 5/2(e) and 5/2(f) where appropriate. The same decision summary also refers to post-termination retention of personnel-file information for future disputes under a legitimate-interest theory.
4. Recruitment and onboarding: the first HR privacy risk point
Employee data protection begins before the employment contract is signed. Recruitment involves CVs, contact data, references, interview notes, assessment results, and, in some sectors, background-related information. Under Article 4, employers still need a defined purpose and a limited, proportionate collection model at this stage. Under Article 10, the candidate must be informed at the time of collection about the controller’s identity, the purposes of processing, transfer recipients and purposes, the method and legal basis of collection, and the data subject’s rights.
A frequent mistake at onboarding is overcollection. Employers sometimes gather broad family, health, biometric, and background information “just in case,” even where the employment role does not require it. Article 4’s proportionality rule and Article 5’s lawful-basis structure do not support that habit. The legal question is always whether the data are necessary for the stated employment purpose or required by law.
Onboarding is also where many employers misuse consent forms. A long standard packet with a single broad consent clause is not a substitute for choosing the right legal basis. KVKK’s lawful-bases guidance expressly warns against using consent where another legal basis already exists. In HR, that warning is especially important because payroll, SGK, tax, occupational safety, and core employment-file processing often rest on legal obligation or contract-performance grounds rather than consent.
5. Special-category employee data: health, biometrics, union membership, and more
Article 6 regulates special categories of personal data. It lists data revealing race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade unions, data concerning health and sexual life, criminal convictions and security measures, and biometric and genetic data. After the 2024 amendment, Article 6(3) now permits processing of special-category data where one of the listed conditions exists, including explicit consent, express provision by law, protection of life or physical integrity, data made public by the subject consistent with their intention, establishment/exercise/protection of a right, health-care purposes, and—crucially for HR—necessity for the fulfilment of legal obligations in employment, occupational health and safety, social security, social services, and social assistance.
That employment-related special-category ground is one of the most important changes for HR compliance in Turkey. KVKK’s 2025 guide on special-category data explains that Article 6(3)(f) imposes a data-processing permission tied to what employment legislation actually requires and warns that this does not give employers unlimited freedom to process workers’ sensitive data. In other words, the existence of an employment-law connection does not remove the need for necessity and proportionality.
The law also requires adequate measures for special-category data. Article 6(4) says these measures are determined by the Board, and KVKK’s official special-categories page and guide both remind controllers that Board-determined safeguards must be implemented. For HR teams, this means health reports, disability information, biometric access data, union-membership-related information, and criminal-record data should be governed by tighter access controls and stronger internal procedures than ordinary contact or payroll data.
6. Fingerprint and biometric attendance systems are high-risk
One of the clearest HR warning signs in Turkish practice is the use of fingerprint-based attendance or access systems without a strong legal justification. In Board Decision 2020/404, the summary states that all employees’ fingerprints were collected, that employees were effectively compelled to provide them, and that the controller argued these were used for emergency management, physical security, and similar purposes. The Board summary records the view that biometric data remain biometric even if hashed and that, absent a proper legal basis, biometric processing must meet Article 6 requirements and the general principles of Article 4. It also states that the use of fingerprints for purposes like physical-area security was disproportionate where less intrusive alternatives such as magnetic cards, RFID tags, or SMS-based entry were available.
The same decision summary shows the enforcement consequence: the Board imposed an administrative fine for failure to fulfil the Article 10 notice obligation and another for breach of Article 12 data security obligations. This makes the practical lesson very clear: biometric systems in workplaces should never be treated as ordinary HR technology. They require a special-category analysis, proportionality analysis, security analysis, and notice analysis together.
For employers, the safest approach is to assume that biometric attendance systems are legally sensitive by default. Before rollout, the employer should assess whether a less intrusive alternative can achieve the same purpose, whether the legal basis is actually available under Article 6, whether Board-required safeguards are in place, and whether employees have received a proper notice.
7. Employee monitoring and corporate email access require prior transparency
Workplace monitoring is another HR data-protection risk area. Board summaries involving employee email accounts show that the KVKK framework expects more than general managerial authority. In Decision 2021/1187, the complaint summary states that the former employee argued there had been no notice that company email accounts were to be used only for work and no monitoring criteria had been set, while the controller argued that the account was corporate and work-related. In Decision 2023/86, the dispute similarly centered on monitoring, access, and storage of employee corporate-email contents and whether the employee had been properly informed.
The practical lesson is that an employer should not assume that because the mailbox is “corporate,” access is automatically unrestricted from a data-protection perspective. Article 10 requires notice at the time of collection, and KVKK’s notice guide emphasizes that the duty to inform is an indispensable condition for lawful processing. Monitoring policies should therefore explain what systems are monitored, for what purposes, by what methods, on what legal basis, and with what retention and access limits.
A compliant HR monitoring framework in Turkey should also distinguish between business security, misconduct investigation, continuity needs after resignation, and generalized surveillance. The broader and less specific the monitoring practice is, the harder it becomes to defend under the principles of purpose limitation, proportionality, and transparency in Article 4 and Article 10.
8. Retention, deletion, and personnel file lifecycle management
Under Article 7, personal data that were lawfully processed must still be erased, destroyed, or anonymized once the reasons requiring processing no longer exist. KVKK’s erasure/destroy/anonymization materials state clearly that the data controller must do this ex officio or upon the data subject’s request, and that a request from the data subject is not a prerequisite for the controller’s duty to act.
For HR teams, this means “we may need it one day” is not a lawful retention policy by itself. Employers should map retention periods to concrete legal bases: labor-law limitation periods, tax retention duties, social security obligations, occupational health and safety duties, or dispute-related legitimate interests. Board practice reflected in the 2021/1218 summary suggests that retaining some personnel-file data after termination may be justified where they may provide evidentiary support in future disputes, but that does not justify indefinite retention of all employee data.
A compliant HR privacy program therefore needs a written retention and destruction logic. That usually means classifying employee data by category, identifying why each category is still needed, and applying deletion, destruction, or anonymization when the lawful basis ends. KVKK’s registry and inventory framework supports exactly this kind of structured lifecycle management.
9. Employee notice obligations and data subject rights
Article 10 requires the controller to inform the data subject at the time personal data are obtained. The required notice elements are the identity of the controller and representative, the purposes of processing, the transfer recipients and purposes, the method and legal basis of collection, and the rights listed in Article 11. KVKK’s notice guide emphasizes that this obligation is both a controller duty and a data subject right.
Article 11 gives employees the right to learn whether their data are being processed, obtain information about processing, learn the purpose of processing and whether use is purpose-compliant, learn domestic and foreign recipients, request rectification, request erasure or destruction where Article 7 conditions are met, request notification of rectification/erasure to recipients, object to solely automated analysis producing adverse results, and claim compensation for unlawful processing.
These rights have real operational consequences for HR. Under Article 13, the employee must first apply to the controller, and the controller must answer as soon as possible and no later than 30 days. If the request is refused, insufficiently answered, or unanswered, the employee may complain to the Board within the periods set by Article 14. For HR teams, that means employee privacy requests should be handled through a formal internal process rather than informally by line managers.
10. Data security, vendor management, and breach notification
Article 12 requires the data controller to take all necessary technical and organizational measures to prevent unlawful processing, prevent unlawful access, and ensure protection of personal data. It also requires the controller to conduct or procure audits and imposes a continuing confidentiality obligation on controllers and processors even after office or duty ends. Where processing is carried out by another person on behalf of the controller, the controller and processor are jointly responsible for the relevant measures.
KVKK’s official security guidance adds that there is no one-size-fits-all model; the appropriate measures depend on the controller’s structure, activities, risks, and the nature of the personal data. That is especially important in HR, where payroll, health, biometric, disciplinary, and access-control data often sit on multiple systems with different vendors and user groups.
In case of a breach, Article 12(5) requires notification to the data subject and the Board “within the shortest time.” Board Decision 2019/10 interprets that phrase as 72 hours from the controller’s becoming aware of the breach, unless delay reasons are attached and notification is still made without undue further delay. The Board also requires breach documentation and a breach response plan. For HR departments, this means payroll leaks, unauthorized HR-system access, or accidental disclosure of employee records should trigger a formal incident-response process immediately.
11. Cross-border HR data transfers after the 2024 reform
Cross-border transfer rules changed materially in 2024. Under the amended Article 9, personal data may be transferred abroad where one of the Article 5 or Article 6 conditions is met and there is an adequacy decision for the destination country, sector, or international organization. In the absence of adequacy, transfers may still be possible with appropriate safeguards, including Board-approved binding corporate rules, standard contracts published by the Board, or a written commitment approved by the Board.
This is highly relevant for multinational HR operations. Global HRIS systems, parent-company reporting, regional payroll processing, group-wide talent databases, and cross-border investigations may all involve transfers abroad. The Board’s official overseas-transfer page states that, following the Board’s 04.06.2024 decision, standard contracts and binding corporate rules became recognized safeguard mechanisms, and Article 9(5) requires that the signed standard contract be notified to the Authority within five business days of signature.
Where no adequacy decision and no appropriate safeguard exist, Article 9 still allows limited incidental transfers in listed cases, such as explicit consent after being informed of risks or where the transfer is necessary for contract performance or pre-contractual steps. Employers should therefore stop treating foreign HR-system use as a purely IT issue. In Turkey, overseas HR transfers require a specific Article 9 analysis.
12. VERBIS registration and HR-related registry risk
Article 16 states that data controllers must register with the Data Controllers’ Registry (VERBİS) before starting to process data, unless the Board grants an exemption using objective criteria. The By-Law on the Data Controllers’ Registry states that controllers fulfil the registration obligation by entering the required information into VERBİS.
For many employers, VERBİS is directly relevant because HR data are almost always among the registered categories of data subjects and data categories. Current Board announcements show that the exemption thresholds are not static. According to the Board’s 2026 public announcement on the 2025/1572 decision, controllers whose annual employee count is below 50 and annual financial balance sheet total is below TRY 100 million, and whose main activity is not special-category data processing, are exempt; the same announcement also extends exemption to controllers whose main activity is special-category processing if they have fewer than 10 employees and a balance sheet below TRY 10 million.
This means HR-led companies should not assume that “small business” automatically removes VERBİS risk. The exemption depends on specific thresholds and activity type, and foreign-resident controllers or larger employers often remain registrable. Since HR data are a routine part of controller operations, VERBİS analysis should be built into HR privacy governance rather than left entirely to IT or outside counsel.
13. Sanctions and enforcement risk
KVKK non-compliance in HR is not just theoretical. Article 18 provides administrative fines for failure to fulfil the notice obligation, failure to fulfil data security obligations, failure to comply with Board decisions, failure to comply with VERBİS registration/notification obligations, and—after the 2024 reform—failure to comply with the Article 9(5) standard-contract notification obligation. The law sets statutory fine ranges and states that fines are imposed on the data controller, while the new Article 9(5) notification fine can be imposed on the controller or on private-law persons processing data. The law also now states that administrative fines may be challenged before the administrative courts.
Board practice also shows real workplace enforcement. In the fingerprint-related 2020/404 summary, the Board imposed one fine for failure to inform and another for breach of data security obligations. This is a useful HR reminder: workplace privacy violations can lead to concrete sanctions even without a mass data breach.
For employers, the practical point is simple. HR privacy compliance should not be built around the hope that “this is only internal employee data.” Under KVKK, employee data are still protected personal data, and HR failures can lead to Board complaints, administrative fines, court claims, and serious reputational risk.
Conclusion
Employee data protection in Turkey is a full compliance discipline under KVKK, not a signature exercise. A lawful HR privacy framework requires the employer to process employee data under the Article 4 principles, choose the correct lawful basis under Articles 5 and 6, provide a proper Article 10 notice, honor Article 11 data subject rights, secure data under Article 12, erase or anonymize data under Article 7 when retention grounds end, assess Article 9 for transfers abroad, and review whether VERBİS registration is required.
For HR teams in Turkey, the strongest compliance model is usually the one that relies least on blanket consent and most on accurate legal-basis mapping, tight retention logic, controlled access, and documented governance. For employees, the key point is that workplace privacy rights in Turkey do not end when employment begins. In Turkish practice, the most defensible HR data systems are not the most data-hungry ones. They are the ones that are transparent, proportionate, secure, and legally justified at every stage of the employment relationship.
Yanıt yok