Employer Guidelines For The Protection Of Employees' Personal Data

This article outlines employers' obligations regarding the protection of employees' personal data under Turkish law, focusing on the Personal Data Protection Law. It addresses lawful processing, transparency, data minimization, security, retention, transfers, and sanctions for non-compliance.

Personal data refers to any information relating to an identified or identifiable natural person. Within the scope of the employment relationship, employers have specific obligations to protect the civil and personality rights of employees. These obligations primarily arise from the nature of the employment relationship and are governed by the Turkish Code of Obligations ("TCO") and the Labor Law, depending on the characteristics of the work performed.

Pursuant to the TCO, employers are obliged to protect and respect the personality of employees within the employment relationship and to ensure workplace order in accordance with the principle of good faith. As personal data constitutes an integral part of personality rights, it is also protected under this framework.

Employer's Obligations Under the Personal Data Protection Law

Personal Data Protection Law No. 6698 ("PDPL") constitutes the primary legislation governing the protection of personal data under Turkish law. Employers who process employees' personal data are required to comply with the PDPL.

1. Complying with the Fundamental Principles

Under the PDPL, personal data must be:

• processed lawfully and fairly,
• kept accurate and up to date where necessary,
• processed only for specified, explicit, and legitimate purposes,
• relevant, limited, and proportionate to those purposes, and
• stored only for the period required by applicable legislation or for as long as necessary to achieve the processing.

Employers must ensure compliance with these fundamental principles as well as the lawful processing conditions set forth under the PDPL.

2. Obligation to Inform

Employers are required to inform employees about the processing of their personal data. As a best practice, employees should be provided with a privacy notice prior to the execution of the employment contract, clearly explaining which personal data are processed and for what purposes.

In certain circumstances, additional notifications may be required. For example, employers may use camera surveillance systems in the workplace within the scope of their managerial authority. However, employees must be duly informed of such monitoring activities. If an employee is unaware of the monitoring or is subjected to secret surveillance, the data obtained would be deemed unlawfully processed. (You may read our latest article on "Video Surveillance in the Workplace" here.)

In this regard, a compliance effort should be undertaken company-wide in the area of personal data protection, and the Human Resources department, in particular, should review which employee data is being retained. Along with this review, the necessary information must be provided appropriately to employees, job applicants, and interns.

Failure to comply with the obligation to inform may result in an administrative fine ranging from TRY 85,437 to TRY 1,709,200 (for 2026).

3. Assessment of the Necessity of Explicit Consent

Article 419 of the TCO is considered a special provision that strictly limits the employer's purposes for processing personal data. Under this provision, the processing of an employee's personal data must be directly related to the employee's suitability for the job or be compulsory for the performance of the employment contract. In addition, the provisions of special laws remain reserved.

Employers may process personal data without obtaining explicit consent if one of the legal conditions of Article 5 has met, such as the processing is explicitly provided for by law or the processing is necessary for the establishment or performance of an employment contract. Additionally, Article 6 of the PDPL defines special categories of personal data and sets out stricter conditions for processing. For example, pursuant to Article 75 of the Labor Law, employers are legally obliged to maintain a personnel file containing essential employment records, which constitutes lawful processing without explicit consent. Accordingly, a thorough assessment under Articles 5 and 6 of the PDPL must be conducted to determine which data require explicit consent.

Where necessary, explicit consent must be obtained from employees. For example, consent may be required in situations where photographs are taken at a social event organized by the employer and published on social media of the company. It is important to acknowledge that explicit consent must be informed, specific to a particular matter, and freely given.

4. Collect Only What Is Necessary

In line with the principle of data minimization, employers should refrain from processing personal data beyond what is necessary. In practice, excessive and job-irrelevant data are often collected, particularly through job application forms. Employers should assess whether the requested information is genuinely necessary for the relevant position and review collection methods to ensure compliance with the PDPL.

5. Ensure Confidentiality and Security

Employers are responsible for ensuring the confidentiality and security of employees' personal data. The PDPL obliges employers to implement all necessary technical and administrative measures to prevent unlawful processing and unlawful access to personal data.

In the event of a breach of this obligation, employers may face administrative fines ranging from TRY 256,357 to TRY 17,092,242 (for 2026).

6. Check Accessibility

As an integral part of data security measures, employers must define authorization and access limits regarding employees' personal data. In some cases, employee data may constitute competitively sensitive information. Therefore, access should be restricted on a need-to-know basis. Additionally, employees also should not be able to access all data. Establishing a clear authorization matrix is essential in this regard.

7. Audit Data Transfers

Employers must comply with Articles 8 and 9 of the PDPL when transferring personal data. The requirements for data transfers and the identity of recipients must be carefully assessed, and it must be ensured that an adequate level of data protection is maintained at the recipient location. Where necessary, data transfer agreements or written commitments may be required.

For cross-border data transfers, an assessment under Article 9 of the PDPL must be conducted. As no adequacy decision has yet been issued by the Personal Data Protection Board ("Board"), employers should rely on appropriate safeguards, such as standard contracts, written commitments and Board's approval or binding corporate rules.

8. Disposal After Expiration

Personal data processing encompasses not only collection and recording but also storage and protection. Article 4 of the PDPL emphasizes that personal data must be stored only for the period required by applicable legislation or for as long as necessary to achieve the processing.

Examples include:

• Pursuant to Article 7/1(b) of the Regulation on Occupational Health and Safety Services, employers are required to retain employees' personal health records for at least 15 years following the termination of employment.
• In the event of legal disputes between employers and employees, retaining relevant records until the expiration of the applicable statute of limitations may be necessary.

There is no stipulated period for each data in the legislation. Therefore, it is important for companies to determine how long they need each data. Once the retention period has expired, the employer is required—either upon request or on its own initiative—to erase, destroy, or anonymize the employee's personal data under Article 7 of the PDPL. Hence, employers need to prepare a Personal Data Retention and Destruction Policy* in this regard.

Additional Obligations of the Employer

As a data controller, the employer has additional legal obligations, including:

1. Registration to Data Controllers Registry ("VERBIS") (If the registration conditions determined by the Board are met.)
2. Establishing a Personal Data Processing Inventory*
3. Obligation to Respond to Applications Made by Employees

*: Legally required for employers subject to registration to VERBIS. However, those who are not subject to this obligation still remain obligated to act in accordance with the Law and relevant legislation.

Conclusion

Employee personal data protection is regulated under multiple legal frameworks, including the TCO, the Labor Law, and the PDPL. Employers must fully comply with the PDPL and applicable legislation. Non-compliance with these regulations may result in facing with both imprisonment regulated under Turkish Penal Code and administrative monetary sanctions under Article 18 of PDPL. Last but not least, there is also a risk of compensation and loss of commercial reputation. By adhering to these principles and obligations, employers can ensure compliance with Turkish data protection laws while respecting the privacy and fundamental rights of employees.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.