The processing of employees' personal data and the presentation of this data as evidence in courts are of great importance in terms of ensuring the correct exercise of both employers' and employees' legal rights and obligations. However, the legislation does not include any direct regulation regarding the scope and limits of personal data that can be presented in lawsuits. For this reason, the decisions of the Personal Data Protection Board ("the Board") serve as a guide for ensuring the lawful conduct of these processes While these decisions determine the legal obligations that employers must comply with when processing personal data and using it as evidence, they also safeguard the protection of employees' personal data.
This bulletin aims to highlight the conditions for the transfer of employees' personal data, the obligations of the employer, and the considerations to be taken into account when submitting this data as evidence in courts, in light of Board's decisions.
Conditions for the Transfer of Employees' Personal Data
Article 4 of the Law on the Protection of Personal Data No. 6698 ("KVKK") sets forth the principles to be followed when processing personal data. These are: "compliance with the law and the rule of good faith", "being accurate and, where necessary, kept up to date", "being processed for specified, explicit, and legitimate purposes", "being relevant, limited, and proportionate to the purposes for which they are processed", and "being retained for the period stipulated by the relevant legislation or the period required for the purposes for which they are processed". The data controller must comply with these principles in all circumstances. However, the lawful collection and storage of personal data does not mean that this data can be transferred. The employer's submission of the employees' personal data as evidence in court falls within the scope of data transfer. For the transfer of data, the conditions for the transfer of personal data set out in KVKK must be complied with. The conditions for the transfer of personal data are regulated in Article 8 of KVKK. Accordingly, personal data may be transferred either with the explicit consent of the data subject or, without explicit consent, if the legal grounds specified in Article 5/2 or, in the case of special categories of personal data, Article 6/3 are met, provided adequate precautions are taken. Furthermore, the Law reserves the provisions of other laws regarding the transfer of personal data (Article 8/3).
Employers' obligations under Data Protection Law
The obligations of employers under data protection law are determined to ensure the protection of employees' personal data and the lawful processing of this data. These obligations are structured around the basic principles and procedures employers must comply with in their data processing activities. The obligations of employers can be grouped under four main headings: Obligation to Inform, Explicit Consent, Purpose Limitation and Data Minimization, and Data Security Measures.
1. Obligation to Inform: The employer is obliged to inform the employees about the processing and transfer of their personal data. This information must include the identity of the data controller, the purposes for which personal data will be processed, to whom and for what purposes the data may be transferred, the method and legal basis of data collection, and the rights listed in Article 11. The details of this obligation are regulated in the Communiqué on the Procedures and Principles to be Followed in the Fulfillment of the Obligation to Inform.
Indeed, the Board, in its decision dated 02/09/2022 and numbered 2022/896, regarding the sharing of the relevant individual's judicial correspondence information containing personal data with their sibling by the former employer, stated: "...The individual claimed that they were not informed about the processing of their personal data, while the data controller declared that verbal information had been provided regarding the processing of personal data, but no supporting document was submitted to the Board. Furthermore, considering that under Article 5(1)(e) of the Communiqué on the Procedures and Principles to be Followed in the Fulfillment of the Obligation to Inform, the burden of proof regarding whether the obligation to inform was fulfilled lies with the data controller, it was determined that the data controller should have informed the relevant individuals about the processing of personal data contained in the employee's personnel file and that the data controller was reminded to exercise due care and attention in fulfilling the obligation to inform by the relevant provisions of the Communiqué..."
2. Explicit Consent: For the transfer of personal data, explicit consent must be obtained from the employee. Explicit consent must be specific, informed, and freely given. The transfer of personal data without obtaining consent is considered unlawful. However, consent may be waived if the legal grounds in Articles 5 and 6 of KVKK apply.
Regarding this issue, the Board, in its decision dated 25/06/2020 and numbered 2020/494, concerning the submission of camera footage, which constituted personal data, by a courier company in an employment reinstatement lawsuit filed by the individual, stated:"...In response to the individual's claim that the camera recording was taken by the data controller courier company without obtaining explicit consent, it was evaluated that the data controller had previously informed the individual, by the personal data information notice signed by the individual, that camera recordings were taken at the transfer center. According to this information notice, signed by the individual, the data controller processed the camera recordings based on legally valid reasons. However, the data controller did not present a document proving that explicit consent was obtained from the individual. Considering that the data controller is a courier company, the Board referred to the "Procedures and Principles for Security Measures Regarding Postal Deliveries," approved by the Information and Communication Technologies Authority's decision numbered 2016/DK-YED/517. Article 6, paragraph 2, of this regulation, titled 'Control of Postal Deliveries with Imaging Devices,' stipulates that 'Service providers must install camera systems at postal acceptance centers, and the recordings must be kept for at least one (1) month to be submitted to relevant authorities if needed.' In light of these considerations, the Board determined that the courier company acted according to Article 5(2)(a) of the Law, which provides the legal basis 'explicitly stipulated by law.' Therefore, no further action under the Law was required regarding the complaint..."
Additionally, in the Board's decision dated 07/09/2023 and numbered 2023/1548, concerning the recording, sharing, and submission of audio recordings to a court without the explicit consent of the individual, the Board stated: "...In disputes between employees and employers, if the employer has no other means to prove the just cause for terminating the employment contract, or if there is a risk that evidence might be lost, the audio recording taken may be accepted as lawful evidence. In this context, the audio recording used as evidence to prove the employee's dismissal for just cause can be considered lawful. Moreover, in this specific case, the audio recording was not taken by the data controller but was shared with the data controller by a user/customer and was retained by the data controller because of its evidentiary nature. Therefore, the audio recording used as evidence for the rightful termination of the employment contract was lawfully submitted to the court under Article 8(2), referencing Article 5(2)(e) of the Law, which allows data processing when it is necessary for the establishment, exercise, or protection of a legal right..."
In Article 6, paragraph 1 of the Law, titled "Conditions for Processing Special Categories of Personal Data," it is stated that data related to a person's race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data, are considered special categories of personal data. The processing of special categories of personal data without the explicit consent of the data subject is prohibited.
In its decision dated 10/08/2023 and numbered 2023/1356, regarding the submission of footage showing an individual worshiping in a mosque by an employer in an employment reinstatement lawsuit, the Board stated: "...The personal data processing activity conducted by monitoring the place of worship through cameras within the framework of occupational health and safety cannot be based on one of the legal grounds for processing special categories of personal data outlined in Article 6 of the Law, nor can it be justified by the legitimate interest argument presented by the data controller. Furthermore, this special category of personal data processing activity does not comply with the general principles outlined in Article 4 of the Law, such as 'processing for specified, explicit, and legitimate purposes' and 'being relevant, limited, and proportionate to the purposes for which they are processed.' The place of worship does not have a function that necessitates being monitored within the scope of the data controller's work area. Additionally, there is no explicit provision in the laws allowing for the surveillance of places of worship in employment relationships. Therefore, the monitoring of the place of worship with cameras is not a lawful data processing activity..."
3. Purpose Limitation and Data Minimization: The personal data collected must be processed for specific, clear, and legitimate purposes. Employers should limit the data they collect to the minimum necessary for the purpose of its use as evidence. Furthermore, the principle of data minimization must be observed when collecting and processing personal data, meaning that only the data necessary should be collected and used.
Regarding this issue, the Board, in its decision dated 12/03/2020 and numbered 2020/212, concerning the use of security cameras with audio recording capabilities, stated: "...In order for audio recordings made by cameras to be considered a lawful personal data processing activity, they must comply with the principles required for the restriction of fundamental rights and freedoms outlined in the Constitution. In this context, if the intended benefit from the recording can be achieved through video recording without the need for audio recording, then making an audio recording would disrupt the balance between the purpose of the data processing activity and the means used, thus violating the principle of proportionality. It is clear that using audio recording systems in conjunction with video recording systems is far more intrusive than video recording alone. Furthermore, recording both video and audio through cameras may create concerns that individuals are being fully monitored, even in public areas, and considering that personal conversations or segments of personal life could be recorded, such a practice could harm the essence of the right to privacy. It should also be noted that the use of cameras with audio recording capabilities in public institution entrances for security purposes could lead to a general perception that this is necessary for similar environments, resulting in an overly broad exception to the right to personal data protection, which would harm the essence of this right..."
4. Data Security Measures: The employer is responsible for ensuring the security of personal data during its transfer. In this context, technical and administrative measures must be taken to prevent unauthorized access, loss, destruction, or alteration of the data. In general, these technical and administrative measures are regulated under Article 12 of KVKK, although it is not possible to define or list each specific measure. The decisions of the Board provide guidance in this regard. In its decision dated 31/01/2018 and numbered 2018/10.
In line with this, the Board, in its decision dated 02/09/2022 and numbered 2022/896, regarding the sharing of the relevant individual's judicial correspondence containing personal data with their sibling by the former employer, stated:"...The act of emailing the prosecutor's complaint, which contained personal data of the relevant individual and other persons, to a third party—who was identified as the individual's sibling but had no involvement in the matter—was not based on any of the legal grounds for processing personal data outlined in Article 5 of the Law. Consequently, it was determined that the data controller failed to fulfill its obligation to take the necessary technical and administrative measures to prevent the unlawful processing of personal data as required under Article 12(1) of the Law. Therefore, an administrative fine of 150,000 TL was imposed on the data controller under Article 18(1)(b) of the Law."
Furthermore, in its decision dated 10/08/2023 and numbered 2023/1356, concerning the submission of footage showing an individual praying in a mosque by an employer in an employment reinstatement lawsuit, the Board stated: "...As the data controller violated the obligation outlined in Article 12(1) of the Law, which requires the data controller to take the necessary technical and administrative measures to ensure an appropriate level of security and prevent the unlawful processing of personal data, an administrative fine of 300,000 TL was imposed on the data controller under Article 18(1)(b) of the Law."
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.