Immediately after the Law on the Protection of Personal Data No. 6698 ("Law") came into force, on 7 April 2016, in Turkey, a variety of topics related to the law were enthusiastically discussed and argued by practitioners and other interested parties. By the first anniversary of the Law, many doctrinal issues had already been clarified. However, the scope and application of the law as it relates to the protection of employees' personal data is yet to be sufficiently elaborated or clarified. The underlying reason that keeps this issue at the forefront is that, according to the law, employers seemingly will no longer be able to share the personal data of their employees per se not only with third parties, but also with their headquarters, if those headquarters are located outside of Turkey.
Despite the fact that the processing of the personal data of employees is one of the key topics that the Law regulates extensively, one may argue that this is not a primary concern for employers because Article 75 of the Labor Law No. 4857 ("Labor Law") already obliges employers to keep personnel files for each employee. However, the new law is still relevant for employers in that, once employers intend to share and/or transfer the personal information of their employees, the Law sets particular red lines to be complied with. On the other hand, even before the Law, employers were already under the obligation to protect the personal rights and the privacy of their employees. More precisely, as per Article 75/2 of the Labor Law, employers may only share their employees' data in accordance with the applicable laws and the duty of honesty, and are not allowed to disclose information if an employee has a justifiable interest in keeping it confidential. Therefore, the Law combined with the Labor Law, further regulates how employers can use and share their employee data.
In practice, the Law introduces a significant new obligation for multinational companies operating in Turkey: as per Article 9 of the Law, no information can be transferred abroad without the explicit consent of the data owner. On the other hand, multinational companies generally prefer and endeavor to gather all employee-related records at one data center, usually located at a place outside of Turkey. The transfer of data to such centers, therefore, may be illegal unless the circumstances set forth under Article 5/2 or 6/3 of the Law are satisfied. Those two Articles elucidate the conditions under which the disclosure of information to entities outside of Turkey without the explicit consent of data owners (i.e., the employees) is permitted. Therefore, it's clearly foreseeable that, once multinational companies decide to continue to transfer employees' personal information abroad without obtaining the explicit consent of employees, how the Court of Appeals will approach and adjudicate this matter will constitute a vital precedent. It will provide a leading roadmap for employees' rights in Turkey.
In consequence, since the Court of Appeals' approach and attitude toward the protection of employees' personal rights is yet to be revealed, a particular uncertainty concerning the privacy of the personal data of employees will continue to prevail for a while. Once the doctrine is settled and precedents start to guide practitioners on this issue in an explicit manner, employers will have a comprehensive roadmap to avoid any legal breaches, whereas employees will be able to ensure that their personal privacy rights are duly protected.
This article was first published in Legal Insights Quarterly by ELIG, Attorneys-at-Law in June 2017. A link to the full Legal Insight Quarterly may be found here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.