- Legal Basis of Personnel Attendance Control Systems
As of today, developments in technology sector reflects on numerous details and causes changes in various systems both in business and daily life. Along with this, invasions to privacy and personal data protection rights occur in different ways. One of the relationships affected by this is employee and employer relationship.
Nature of the relationship between an employer and employee has distinctive aspects compared to the other kinds of contractual relationships. According to the Labour Law1, employment contract consists of one party (employee) undertaking to work as a dependent and the other party (employer) undertaking to pay wages. Essential element of employment contracts is considered as employee's dependence on the employer.
Determining whether an employee is dependent or not, the criteria of doing the work for the benefit of the employer within the employer's organization should be taken into consideration as well as the criteria of performing the work under the surveillance and supervision of the employer. Even further, employer's right to surveillance and supervision2 of employees turns into a duty imposed on the employer within the legal framework3.
At this point, employers prefer to use Personnel Attendance Controls Systems ("PACS") to supervise their employees' by processing their work hours and making analyses to evaluate employee's performance and productivity. PACS are automations that record employee data such as working hours, leave of absence, assignments, excuses regarding absenteeism and prepare/store payroll cards using these data. As of today, there are various types of PACS; fingerprint readers, palm readers, facial recognition devices, employee card readers.
- Evaluation of Biometric Data Processing Using PACS
According to the European Union's General Data Protection Regulation ("GDPR"), biometric data means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data4. Biometric data hasn't been defined under Personal Data Protection Law5 ("KVKK") or any other Turkish regulation, yet. However, biometric data is one of the special categories of personal data determined under Article 6 of KVKK. Data such as fingerprints, palm prints, iris, facial patterns are considered biometric data.
Either of the GDPR and KVKK defines special categories of personal data as a data category that is sensitive and in extreme need of special protection. Article 6 of the KVKK prohibits to process special categories of personal data without obtaining the explicit consent of the data subject. But also regulates exception of this rule as only if any Turkish law permits processing of a special categories of personal data, it may be processed without obtaining the explicit consent of the data subject. Accordingly, there are two legal grounds to process a biometric data; (i) obtaining data subject's explicit consent, (ii) finding a legal ground in any Turkish law.
- Explicit Consent
Since there isn't any legislation requires or permits employee's biometric data to be processed by employer under Turkish Law, legal ground for the processing shall be obtaining explicit consent of employee.
Explicit consent has been defined under KVKK as freely given, specific and informed consent6. According to this definition, there are three core elements qualifies a consent as explicit; (i) free/freely given, (ii) specific, (iii) informed. The element "free" implies real choice and control for data subjects. As a general rule, if the data subject has no real choice, feels compelled to consent or may endure negative consequences in case of not giving consent, or consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given. Also, the notion of imbalance between the controller and the data subject is also taken into consideration.
When the relationship between employee and employer is examined, it's highly possible that employees to feel obliged to give their consent and face negative consequences otherwise, as well it's clear that there is an imbalance in the relationship7. Due to the dependency that results from the employer-employee relationship, it is unlikely that the data subject is able to deny his/her employer consent to data processing without experiencing the fear or real risk of detrimental effects as a result of a refusal. It is unlikely that an employee would be able to respond freely to a request for consent from his/her employer to in regards of giving consent to their biometrics to be processed by PACS.
Therefore, for the majority of such data processing at workplaces, the lawful basis is not met by obtaining employee's consent due to the nature of the relationship between employer and employee. However, this does not mean that employers can never rely on consent as a lawful basis for processing. There may be situations when it is possible for the employer to demonstrate that consent actually is freely given, when it will have no adverse consequences at all whether or not they give consent.
- Necessity and Proportionality Assessments
Necessity and proportionality are general principles of EU law. Necessity is a fundamental principle when assessing the lawfulness of the processing of personal data. The processing operations, the categories of data processed and the duration the data are kept shall be strictly necessary for the purpose of the processing8. When assessing the processing of personal data, proportionality requires that only that personal data which is adequate and relevant for the purposes of the processing is collected and processed9.
In terms of PACS, it shall be evaluated whether it's the only option to fulfil the objective of data processing with minimum invasion to the privacy and right to the personal data protection to asses necessity. And then, fair balance test should be evaluated to assess whether it's reasonable to process biometric data for the objective.
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, "Dutch Authority") has issued a fine of EUR 725,000 for a company unlawfully processing fingerprints of its employees for PACS purposes10. The Dutch Authority concluded that the employer hasn't fulfilled necessity assessment, and the "necessity" exception may only be relied upon when buildings and information systems need to be secured in such a way that this cannot be done without using biometrics.
Also, Turkish authority Personal Data Protection Board ("Board") has issued a fine of TRY 225,000 regarding on biometric data processing by using a palm reading system for recording entrance and exit times of users of a gym11. It's important that the Board has evaluated the concrete case in scope of proportionality under Article 4 of KVKK in a broader sense that includes both necessity and proportionality. As a result, the Board has concluded that processing biometric data is unlawful even data subject's explicit consent is obtained if there are alternative options to achieve the objective with less invasions to the data subject's privacy.
- In Conclusion
Special categories of personal data including biometric data are considered to be more sensitive and more private compared to regular personal data. Regarding this, both data protection laws and authorities all around the world has a tendency to set more stringent conditions when it comes to process biometric data. Due to its nature, employer/employee relationship tends to be unilateral and this effects validity of employee's explicit consent specially in terms of being freely given. Nonetheless, an employer may proof that the consent obtained by the employee is explicit by establishing the terms of concrete case.
However, it's not sufficient to validate biometric data processing only by establishing that explicit consent has been obtained. Employers are supposed to prove that processing biometric data is necessary and proportionate in terms of concrete case as well, which may be assumed as not possible for the time being, considering current jurisprudence of data protection authorities and option to use PACS with card reader systems.
1. Labour Law dated 22.05.2003 and numbered 4857 has been published in the Official Gazette dated 10.06.2003 and numbered 25137.
2. Article 399 of Turkish Code of Obligations dated 11.01.2011 and numbered 6098 has been published in the Official Gazette dated 04.02.2011 and numbered 27836.
3. Article 5 of Occupational Health and Safety Law dated 20.06.2012 and numbered 6331 has published in the Official Gazette dated 30.06.2012 and numbered 28339.
4. Art 4 (14), GDPR.
5. Personal Data Protection Law dated and numbered 6698 has been published in the Official Gazette dated 07.04.2016 and numbered
6. Art 3(1)(a), KVKK.