Employee Personal Data Protection Under Turkish Labor and Privacy Law

Introduction

Employee personal data protection has become one of the most important compliance areas for employers in Turkey. Modern workplaces process large volumes of employee data: identity documents, payroll records, bank account details, health reports, criminal record certificates, performance evaluations, disciplinary records, camera footage, access logs, emails, device data, biometric identifiers, workplace accident reports, and even remote-working activity data. While employers need certain employee information to manage the employment relationship, comply with labor and social security obligations, and protect workplace security, these needs do not create unlimited authority to collect, store, monitor, or disclose employee data.

In Turkey, employee data protection is governed mainly by Law No. 6698 on the Protection of Personal Data, commonly known as KVKK, and by employment-related rules under Turkish Labor Law No. 4857. KVKK establishes general principles, legal bases, data subject rights, security obligations, transfer rules, and penalties. Turkish Labor Law, especially Article 75, requires employers to maintain a personnel file for each employee and also obliges employers to use employee information lawfully and not disclose information that employees have a justifiable interest in keeping confidential.

For employers, HR departments, foreign companies, payroll providers, recruitment agencies, and multinational groups operating in Turkey, employee personal data protection is not only a privacy issue. It is also a labor law, compliance, cybersecurity, evidence, reputation, and litigation risk issue. A legally weak HR data system may lead to complaints before the Turkish Personal Data Protection Authority, labor disputes, administrative fines, employee compensation claims, invalid disciplinary processes, and reputational damage.

What Is Employee Personal Data?

Employee personal data means any information relating to an identified or identifiable employee, candidate, intern, former employee, freelancer, or workplace representative. Under KVKK, personal data is broadly defined, and the law applies to personal data processed wholly or partly by automated means or by non-automated means forming part of a data filing system. The data controller is the person or entity that determines the purposes and means of processing, and in most employment relationships the employer will be the data controller for HR processing activities.

Employee personal data may include ordinary personal data such as name, surname, Turkish identity number, passport number, address, telephone number, email address, emergency contact information, education history, CV, employment contract, salary information, bank account number, tax records, attendance records, leave records, performance notes, disciplinary documents, workplace correspondence, and system access logs.

It may also include special categories of personal data, such as health data, disability information, pregnancy-related information, biometric access records, criminal conviction data, union membership information, religious belief information, genetic data, and occupational health and safety records. KVKK Article 6 treats these categories as special categories of personal data and applies stricter processing conditions to them.

The Legal Relationship Between KVKK and Turkish Labor Law

Employee data protection in Turkey cannot be understood by looking only at privacy law or only at labor law. Both legal regimes must be considered together. KVKK sets out the general data protection framework, while Turkish Labor Law gives employers certain employment-specific duties, including maintaining personnel files, keeping legally required records, protecting employee health and safety, paying wages, managing leave records, and documenting employment processes.

Article 75 of Turkish Labor Law No. 4857 requires employers to arrange a personnel file for each employee. The employer must keep the employee’s identity information and all documents and records required under the Labor Law and other legislation, and must show them to authorized persons and authorities when requested. The same article also provides that the employer must use information obtained about the employee in accordance with honesty and law, and must not disclose information that the employee has a justifiable interest in keeping confidential.

This provision is highly important from a data protection perspective. It means that the personnel file is not a free archive where employers may collect unlimited documents. The file must be lawful, necessary, employment-related, and confidential. KVKK strengthens this approach by requiring lawfulness, fairness, purpose limitation, data minimization, proportionality, accuracy, and storage limitation in all personal data processing activities.

Core Principles for Processing Employee Data

KVKK Article 4 sets out the general principles that apply to all employee data processing. Personal data must be processed lawfully and fairly, must be accurate and kept up to date where necessary, must be processed for specified, explicit, and legitimate purposes, must be relevant, limited, and proportionate to the purpose, and must be stored only for the period required by law or by the purpose of processing.

In the employment context, these principles are practical and decisive. An employer may need identity information to prepare an employment contract, payroll information to pay wages, health information for occupational safety obligations, and attendance records to calculate working time. However, the employer should not collect unrelated family information, excessive medical details, irrelevant criminal records, unnecessary biometric data, or private social media information unless there is a clear and lawful basis.

The principle of proportionality is especially important. Employers have a legitimate interest in managing the workplace, but employees do not lose their privacy rights when they enter the workplace. Every HR data practice should answer the same questions: Why is this data needed? Is there a legal basis? Is the same purpose achievable with less data? Who will access it? How long will it be stored? Will it be transferred? Is the employee properly informed?

Legal Bases for Processing Employee Personal Data

A common mistake in Turkey is assuming that employers must obtain explicit consent for every HR data processing activity. In reality, explicit consent is only one legal basis under KVKK. Article 5 allows personal data to be processed without explicit consent if one of the statutory conditions exists, including where processing is expressly provided by law, necessary for contract performance, necessary for compliance with a legal obligation, necessary for the establishment, exercise, or protection of a right, or necessary for the legitimate interests of the data controller provided that fundamental rights and freedoms are not violated.

In employment relationships, many processing activities are based on legal obligation or contract performance rather than consent. For example, processing identity information, salary details, social security records, tax information, bank account details, working time records, annual leave records, and payroll documents may be necessary for the performance of the employment contract or for compliance with legal obligations.

Processing may also be necessary for the establishment, exercise, or protection of rights. For instance, an employer may process disciplinary records, warning letters, performance documents, camera records, workplace accident documents, email records, or attendance records in order to defend itself in a labor dispute, prove a valid termination reason, or respond to an inspection.

Legitimate interest may also apply in limited cases, such as workplace security, internal compliance, fraud prevention, IT security, and access control. However, legitimate interest should not be used automatically. The employer should conduct a balancing assessment between the employer’s interest and the employee’s fundamental rights and freedoms.

Explicit Consent in Employment Relationships

Explicit consent under KVKK must be specific, informed, and freely given. In employment relationships, consent is sensitive because of the imbalance of power between employer and employee. An employee may feel compelled to sign a consent form in order to obtain or keep employment. Therefore, employers should not rely on consent where another legal basis such as legal obligation, contract performance, or protection of rights is available.

For example, asking employees to consent to payroll processing is usually unnecessary because payroll processing is required for the employment relationship and legal obligations. Asking employees to consent to social security reporting is also unnecessary because the employer is legally required to perform such processing. Using consent in these cases may create confusion, because if the employee withdraws consent, the employer still has to process the data due to legal obligations.

Consent may be required for non-essential or optional processing activities. Examples may include publishing an employee’s photograph in marketing materials, sharing employee images on social media, using employee testimonials for advertising, processing biometric data where no statutory ground or strict necessity exists, or transferring employee data for optional benefits that are not required under the employment relationship.

Personnel Files and HR Records

The personnel file is one of the most important documents in Turkish employment practice. It may contain employment contracts, identity information, job descriptions, salary records, leave documents, payroll records, training records, occupational health and safety documents, warning letters, disciplinary records, resignation letters, termination notices, settlement documents, and documents required by other laws.

However, the employer should not treat the personnel file as an unlimited storage area. Turkish Labor Law Article 75 requires employers to keep documents and records that must be arranged under the Labor Law and other legislation, and it imposes confidentiality and lawful-use duties on the employer.

From a KVKK perspective, personnel files must be structured according to purpose and access level. HR staff may need access to employment contracts and payroll records. Occupational health professionals may need access to certain health documents. Managers may need access to performance records but not detailed medical reports. Finance departments may need salary and bank information but not disciplinary investigation details. Legal departments may need access to dispute-related documents. Proper role-based access control is essential.

Candidate and Recruitment Data

Employee data protection starts before employment begins. Employers often process candidate CVs, interview notes, reference checks, test results, identity information, education records, certificates, salary expectations, and sometimes criminal record or health data. Candidate data must also comply with KVKK.

Recruitment data should be limited to information necessary for evaluating the candidate’s suitability for the position. Employers should avoid collecting excessive documents at the early application stage. For example, requesting a criminal record certificate or detailed health report from every candidate may be disproportionate unless the position legally or objectively requires it.

Candidate privacy notices should explain the identity of the employer, processing purposes, legal basis, data categories, transfer recipients, retention period, and rights of the candidate. Candidate data should not be kept indefinitely. If the candidate is not hired, the employer should define a reasonable retention period based on legitimate HR needs and possible legal claims, and then delete, destroy, or anonymize the data when the purpose no longer exists.

Health Data and Occupational Safety

Health data is a special category of personal data under KVKK Article 6. This includes medical reports, disability records, pregnancy information, workplace accident reports, occupational disease records, fitness-for-work reports, sick leave documents, and occupational health examination records. Special category data processing is prohibited as a rule, but Article 6 provides specific exceptions, including processing necessary for public health, preventive medicine, medical diagnosis, treatment and care services, and processing necessary for legal obligations in employment, occupational health and safety, social security, social services, and social assistance.

Employers may need certain health data to comply with occupational health and safety obligations. However, health data should be collected and accessed on a need-to-know basis. An employer may need to know whether an employee is fit for a particular job, but may not need the employee’s full medical history. HR personnel may need administrative information about sick leave, but not detailed diagnosis records unless there is a lawful and necessary reason.

Health data should be stored separately or with heightened access controls. It should not be freely accessible to managers, team leaders, administrative personnel, or unrelated departments. Employers should also ensure that workplace doctors, occupational safety experts, payroll providers, and external health service providers process data under clear confidentiality and security rules.

Biometric Data in the Workplace

Biometric data is also a special category of personal data under KVKK. Workplace biometric systems may include fingerprint access, facial recognition, palm vein scanning, iris scanning, or biometric timekeeping systems. Because biometric data is unique and difficult to replace if compromised, it creates a higher privacy risk than ordinary access cards or passwords.

Employers considering biometric systems should carefully evaluate necessity and proportionality. If workplace entry control or attendance tracking can be achieved through less intrusive methods, such as card systems, passwords, mobile authentication, or manual attendance records, biometric processing may be legally risky. The employer must also consider whether the processing has a valid Article 6 basis, whether explicit consent is truly freely given, whether alternative methods are available for employees who do not consent, and whether adequate technical and organizational measures are implemented.

Biometric templates should be encrypted, access should be strictly limited, retention periods should be short and purpose-based, and deletion should occur when the employment relationship ends or when the biometric system is no longer necessary.

Criminal Record Data and Background Checks

Criminal conviction and security measure data are special categories of personal data under KVKK Article 6. Employers should not request criminal record certificates from all candidates or employees as a routine practice unless there is a legal requirement or a clear necessity linked to the role.

A criminal record check may be more justifiable for security-sensitive positions, roles involving children or vulnerable persons, financial responsibility, regulated sectors, or positions where the law requires such screening. However, requesting criminal records for ordinary roles without a specific legal or operational necessity may conflict with data minimization and proportionality.

If criminal record data is processed, the employer should document the legal basis, limit access, avoid unnecessary copying, define a short retention period, and ensure secure storage. The existence of a criminal record should not automatically lead to rejection or dismissal unless there is a lawful, proportionate, and job-related reason.

Workplace Monitoring, CCTV, Email, and Internet Use

Employers may have legitimate reasons to monitor the workplace, protect assets, ensure occupational safety, prevent misconduct, maintain IT security, and investigate legal claims. However, workplace monitoring must comply with KVKK principles. Monitoring should be transparent, proportionate, purpose-limited, and supported by a valid legal basis.

CCTV monitoring should be clearly notified through workplace notices and privacy texts. Cameras should not be placed in areas where employees have a high expectation of privacy, such as restrooms, changing rooms, prayer rooms, medical rooms, or private break areas. Camera recordings should be retained only for a limited period unless needed for a specific investigation or legal claim.

Email and internet monitoring also require caution. Employers should have written policies explaining whether corporate email accounts, devices, internet connections, messaging platforms, and software systems may be monitored. Secret, excessive, or continuous monitoring may violate employee privacy. The employer should prefer targeted and proportionate review based on a legitimate reason rather than broad surveillance.

Remote working has increased monitoring risks. Screen capture tools, productivity tracking software, keystroke logging, webcam monitoring, and location tracking may be highly intrusive. Employers should assess whether such tools are strictly necessary and whether less intrusive methods are available.

Employee Data Transfers

Employee data may be transferred to public authorities, social security institutions, tax offices, payroll providers, accountants, occupational health and safety providers, lawyers, auditors, banks, insurance companies, group companies, IT service providers, cloud platforms, and HR software providers.

Domestic data transfers are regulated under KVKK Article 8. Personal data cannot be transferred without explicit consent unless one of the legal conditions under Article 5 or Article 6 applies. For special categories of personal data, sufficient measures must also be taken.

Cross-border transfers are particularly important for multinational employers. A Turkish subsidiary may transfer employee data to a foreign parent company, global HR platform, payroll software, cloud server, internal audit team, compliance hotline, or regional management office. KVKK Article 9 was amended in 2024 and now provides a structured regime based on adequacy decisions, appropriate safeguards such as binding corporate rules or standard contracts, and limited incidental exceptions. Standard contracts must be notified to the Authority within five business days after signature.

Employers should map all international HR data flows and determine whether employee data is stored, accessed, supported, backed up, or analyzed outside Turkey. This is especially important for global HR systems, performance management platforms, applicant tracking systems, payroll software, cloud storage, and group-wide compliance tools.

Data Security Obligations of Employers

Employers are data controllers for most HR processing activities and must take technical and organizational measures to ensure personal data security. KVKK Article 12 requires data controllers to prevent unlawful processing, prevent unlawful access, and ensure protection of personal data. It also requires controllers to conduct necessary audits and provides that confidentiality obligations continue even after the relevant persons leave office.

In practice, employers should implement role-based access control, password policies, multi-factor authentication, encryption, secure archives, clean desk rules, HR confidentiality undertakings, audit logs, secure deletion systems, employee training, vendor due diligence, incident response plans, and internal disciplinary measures for unauthorized access or disclosure.

Sensitive HR data requires stronger protection. Health reports, criminal records, biometric templates, disciplinary investigations, whistleblowing files, and workplace harassment complaints should not be stored in ordinary shared folders or sent through unsecured email chains. Access should be limited, monitored, and justified.

Data Breach Notification

If personal data is obtained by others unlawfully, KVKK Article 12 requires the data controller to notify the data subject and the Personal Data Protection Board within the shortest time. The Board may also announce the breach where necessary.

In employment contexts, breaches may include sending payroll data to the wrong recipient, unauthorized access to personnel files, loss of employee health records, disclosure of disciplinary files, cyberattacks on HR systems, ransomware affecting payroll databases, or improper sharing of employee lists with third parties.

Employers should have an incident response plan specifically covering HR data. HR, IT, legal, management, and external vendors should know how to identify a breach, preserve evidence, contain the incident, assess risk, notify authorities, inform affected employees, and prevent recurrence.

Retention, Deletion, and Destruction of Employee Data

Employers must not keep employee data indefinitely. KVKK Article 7 provides that personal data must be erased, destroyed, or anonymized when the reasons requiring processing no longer exist, even if the data was originally processed lawfully.

Retention periods should be determined according to labor law, social security law, tax law, occupational health and safety rules, limitation periods, litigation risks, and the purpose of processing. Some records may need to be retained for statutory periods. Other records, such as candidate CVs, access logs, CCTV footage, or internal notes, may require much shorter retention periods.

A proper HR retention policy should identify each data category, legal basis, retention period, destruction method, responsible department, and review cycle. When the employment relationship ends, the employer should not simply archive the entire personnel file forever. The file should be reviewed and retained only for legally justified purposes.

Employee Rights Under KVKK

Employees have data subject rights under KVKK Article 11. They may request to learn whether their personal data is processed, obtain information about processing, learn the purpose of processing, know third parties to whom data is transferred domestically or abroad, request correction of incomplete or inaccurate data, request erasure or destruction under legal conditions, object to certain automated results, and claim compensation for damages caused by unlawful processing.

Employers must respond to data subject requests within the legal period. Article 13 requires the data controller to conclude requests as soon as possible and at the latest within thirty days, depending on the nature of the request. If the request is rejected, found insufficient, or unanswered, the employee may complain to the Board after following the required application procedure.

HR teams should therefore have a request management procedure. A request may come from an employee, former employee, candidate, or intern. It may be sent by email, registered mail, internal HR platform, or another permitted method. The employer should verify identity, assess the request, protect third-party rights, respond clearly, and document the process.

Automated Decision-Making and HR Analytics

Employers increasingly use HR analytics, artificial intelligence tools, applicant tracking systems, performance scoring software, productivity tools, and automated screening systems. These systems may create legal risks if they produce adverse results against employees or candidates without transparency, fairness, or human review.

KVKK Article 11 gives data subjects the right to object to a result against themselves that arises from analysis of processed data exclusively through automated systems. This is especially relevant for automated CV screening, performance scoring, promotion decisions, termination risk analysis, fraud scoring, and productivity rankings.

Employers should ensure that automated HR tools are explainable, proportionate, non-discriminatory, and subject to human oversight. Data used for HR analytics should be accurate, relevant, and limited. Sensitive data should not be used in profiling unless there is a strong legal basis and strict safeguards.

Practical KVKK Compliance Checklist for Employers

A strong employee data protection program in Turkey should include the following steps:

1. Prepare a detailed HR data inventory.
2. Identify all employee, candidate, intern, and former employee data categories.
3. Determine the legal basis for each HR processing activity.
4. Separate ordinary personal data from special categories of personal data.
5. Prepare employee, candidate, intern, and former employee privacy notices.
6. Avoid unnecessary reliance on explicit consent.
7. Use explicit consent only for optional or legally required consent-based processing.
8. Review personnel file contents under Labor Law Article 75 and KVKK principles.
9. Limit access to HR records based on role and necessity.
10. Review health data, biometric data, and criminal record processing separately.
11. Create workplace monitoring, CCTV, email, device, and remote work policies.
12. Map domestic and cross-border HR data transfers.
13. Review contracts with payroll providers, IT vendors, occupational health providers, and cloud platforms.
14. Establish retention and destruction periods for HR records.
15. Train HR, managers, IT, security, and finance teams.
16. Prepare a data subject request procedure.
17. Prepare a data breach response procedure.
18. Conduct regular internal audits.
19. Keep documentation proving compliance.
20. Update policies when business practices or laws change.

Common Mistakes Employers Should Avoid

One common mistake is collecting excessive documents from candidates at the beginning of the recruitment process. Another is asking employees to sign broad consent forms for all HR processing activities. Employers also frequently fail to distinguish between privacy notices and consent forms.

Another serious mistake is storing health reports, criminal records, disciplinary files, and payroll information in shared folders accessible to many employees. Some employers also use biometric systems without considering less intrusive alternatives. Others conduct workplace monitoring without clear policies or proper notices.

Multinational employers may transfer employee data to foreign HR systems without completing the Article 9 transfer analysis. Smaller employers may ignore KVKK because they believe privacy law applies only to large companies. Both approaches are risky.

Legal Consequences of Non-Compliance

KVKK Article 18 provides administrative fines for failures such as breach of the obligation to inform, breach of data security obligations, failure to comply with Board decisions, breach of Data Controllers’ Registry obligations, and failure to notify standard contracts under Article 9/5. The law also provides that administrative fines imposed by the Board may be appealed before administrative courts.

In addition to administrative fines, employee data violations may create labor law disputes, compensation claims, invalid disciplinary processes, workplace trust problems, criminal law exposure in serious cases, and reputational harm. A privacy breach involving salaries, health records, disciplinary allegations, union membership, or criminal record data may seriously damage the employment relationship.

Conclusion

Employee personal data protection under Turkish labor and privacy law requires a careful balance between the employer’s management rights and the employee’s right to privacy. Employers need personal data to manage recruitment, employment contracts, payroll, social security, occupational safety, performance, discipline, workplace security, and legal claims. However, these needs must be exercised within the limits of KVKK and Turkish Labor Law.

A compliant employer should process employee data lawfully, fairly, transparently, and proportionately. Personnel files should be maintained under Labor Law Article 75, but they should not become uncontrolled archives. Special category data such as health data, biometric data, criminal record data, and union membership information should be handled with heightened legal and technical safeguards. Workplace monitoring should be transparent and proportionate. International HR data transfers should be reviewed under the amended KVKK Article 9 regime.

For companies operating in Turkey, employee data protection is now a core HR compliance obligation. A strong compliance framework protects the employer in labor disputes, reduces regulatory risk, improves workplace trust, strengthens cybersecurity, and demonstrates respect for employee privacy. In an increasingly digital workplace, employers that manage employee personal data responsibly will be better positioned to avoid legal risk and build a sustainable, privacy-conscious workplace culture.