Turkey: Employee Data Privacy - A Regional Overview

A. Is there a law/Code or other similar document regulating the collection, use and/or handling of an employee's personal data in your jurisdiction? There are no specifi c regulations in Turkiye in terms of collection, use or process of personal data. However, a number of laws deal with the protection and privacy of personal data; such as the Turkish Constitutional Law, Turkish Civil Code, Turkish Criminal Code, Turkish Labour Code, and Banking Act.

Article 20 of the Turkish Constitutional Law (Law No. 2709) (published in the Offi cial Gazette dated November 9, 1982 and numbered 17863 as amended from time to time) regulates the privacy of private life and provides that:

"Everyone has the right to demand respect for his private and family life. Privacy of individual and family life cannot be violated."

Furthermore, the foregoing article prohibits the search or seizure of any individual, his private papers, or his belongings unless there exists a decision duly passed by a judge on grounds such as national security, public order or prevention of crime; and unless there exists an order of an agency authorized by law in cases where delay is deemed prejudicial. In addition Article 22 of the Turkish Constitutional Law preserves the secrecy of communication.

The Turkish Civil Code (Law No. 4721) (published in the Offi cial Gazette dated December 8, 2001, No. 24607) sets out a number of provisions with respect to the protection of personal privacy as well as the Banking Act numbered 5411 (published in the Offi cial Gazette dated November 1, 2005, No. 25983), which also provides a number of provisions dealing with the protection of confi dentiality of data concerning the customers of banks. Please refer to the sections below for the related provisions under Turkish Criminal Code and Turkish Labour Code.

B. Is there a legal requirement to have a document (e.g., privacy policy, personal information collection statement, agreement) to deal with the employee's personal data?

Pursuant to Article 75 of Turkish Labour Code (published in the Offi cial Gazette dated June 10, 2003 and numbered 25134), employers shall prepare a personnel fi le for each of their employees to include all kinds of information, documents and records besides the employee's identifi cation data. The said fi le shall be prepared in accordance with the Turkish Labour Code and other laws. The personal data in the personnel fi le must be kept strictly confi dential other than disclosing it to authorized offi cers and authorities upon request.

C. For how long must an employer retain an employee's personal data? What is the best practice?

Turkish Labour Code does not provide a specifi c time limit to retain the personal data. However, under Turkish law, in relation to the issues on which no time limits have been regulated, the general provisions of the Code of Obligations (published in the Offi cial Gazette dated May 8, 1926 and numbered 366) apply which set forth a time limit of 10 years.

In light of the above, we are of the opinion that the personal data shall be kept for 10 years following the termination of employment relationship.

D. What are the legal restrictions on transferring employees' personal data outside your jurisdiction?

Save for those that may constitute exceptions to the following general rule, in order to transfer the personal data to foreign countries and disclose the same or a part thereof to a foreign court or other foreign state authority, prior written consent of the employee should be obtained.

E. What are the legal restrictions on transferring employees' personal data to a third party?

Please note that the Turkish Criminal Code (No. 5237) (published in the Offi cial Gazette dated October 12, 2004 and numbered 25611) regulates the violation of privacy of the private life, and it provides that storage, transmission, reception, deletion or destruction of personal data unlawfully may be punished in diff erent manners including imprisonment.

F. What are the consequences of breaching privacy laws in your jurisdiction?

The Criminal Code provides that unlawful storage of personal data is subject to a penalty of imprisonment from six months to three years. In the case of unlawful transmission or reception of personal data, the penalty is increased to imprisonment from one year to four years. In the event that such crime is committed by government offi cials or to facilitate the performance of a profession, the punishment shall be increased by half.

Furthermore, those who do not delete or destroy the Personal Data in spite of the expiry of the time period stipulated in the relevant laws for the maintenance of such data shall be punished by imprisonment from six months to one year.

Since there is no defi nition of "unlawful" under the laws, the term "unlawful" in this context may be interpreted as storage or transmission of personal data without the consent of the relevant individuals.

G. What are the main pitfalls or areas to watch out for in your jurisdiction regarding the collection, use and/or handling of an employee's personal data?

As previously stated, there are no specifi c regulations in Turkiye in terms of collection, use or process of personal data. Therefore, to avoid any inconveniences, a prior consent letter with a suitable content should be obtained from the employee.