- within Strategy, International Law and Tax topic(s)
DPA Issues Principle Decision on Biometric Data Processing for Workplace Attendance Tracking
The DPA published a public announcement regarding the Board’s Principle Decision dated 29 April 2026 and numbered 2026/921, concerning the processing of biometric data for tracking employee working hours.
According to the announcement, using biometric authentication systems (such as fingerprints, facial recognition, iris/retina scans) for attendance tracking creates a legal conflict with data protection principles. Due to the structural power imbalance in employment relationships, relying solely on explicit consent is deemed insufficient and legally unstable, as employees lack a truly free will to object or withdraw consent. Furthermore, since there is no explicit statutory provision requiring attendance to be tracked via biometrics, such practices fail to meet the “proportionality” and “data minimization” principles under Article 4 of the Personal Data Protection Law (“the Law”), especially when less intrusive alternative methods exist.
Consequently, the Board decided that data controllers must utilize alternative tracking methods; such as PIN/password systems, traditional paper sheets, RFID/NFC cards, or manual logs under supervision, instead of biometric systems. Ensuring compliance with this rule is considered a mandatory technical and administrative security measure under Article 12 of the Law, and data controllers who fail to comply will face administrative sanctions pursuant to Article 18 of the Law.
DPA Regulates Security Camera Usage in Apartment Buildings
The DPA published a public announcement clarifying the legal boundaries for residential datacontrollers, suchasapartmentandcomplex managements, when deploying security camera systems in common areas. While cameras can be legally installed for legitimate security, crime prevention, and property protection purposes under Condominium Law No. 634, the resulting data processing must strictly comply with the fundamental privacy and data protection principles of the Law.
According to the announcement, camera placement must carefully respect residents’ reasonable privacy expectations. Systems must not monitor stairwells or private apartment entrances in a way that reveals the inside of a home, and highly intrusive technologies like audio recording or facial recognition are strictly prohibited. Furthermore, surveillance inside confined spaces like elevators requires explicit justification, while all captured footage must be kept only for a reasonable duration with access restricted to authorized personnel. Data controllers are also required to post clear signs or privacy notices in the monitored areas to fulfill their legal obligation to inform residents and visitors.
Consequently, implementing these specific guidelines is deemed a mandatory technical and administrative security measure under Article 12 of the Law. The DPA explicitly warned that residential managements failing to comply with these standards will face administrative fines and legal sanctions pursuant to Article 18 of the Law.
DPA Issues Guidance on Security Camera Usage in Workplaces
The DPA published a public announcement clarifying the legal boundaries for workplace securitycameras. While surveillance ispermitted for legitimate purposes like ensuring workplace safety and crime prevention under Laws No. 6098 and 6331, employers must strictly comply with the core privacy principles of the Law to prevent widespread privacy violations.
According to the announcement, camera usage must respect employees’ reasonable privacy expectations and adhere to data minimization. Employers are strictly prohibited from using surveillance for abstract or disciplinary purposes, such as tracking employee efficiency or performance. Highly intrusive features like audio recording are heavily restricted, and cameras are completely banned in private zones like restrooms, changing rooms, and break areas.
Consequently, employers acting as data controllers must implement technical and administrative measures under Article 12 of the Law, including setting up strict access authorization matrices, keeping footage only for the minimum required duration, and utilizing automated data destruction. They are also legally obligated under Article 10 of the Law to provide explicit privacy notices to staff and visitors. The DPA warned that non-compliance will result in administrative fines under Article 18 of the Law.
DPA Halts Municipalities’ Live Broadcasts for Touristic Promotion
The DPA issued a public announcement ordering municipalities to immediately stop live-streaming footage of public tourist areas on their websites. The Board ruled that capturing recognizable faces and license plates constitutes unauthorized personal data processing under the Law, as it violates individuals’ reasonable expectations of privacy in public spaces and exposes them to tracking risks by third parties.
Since municipal laws do not grant a statutory mandate for such surveillance, these live streams cannot be justified under “legitimate interest.” Municipalities must switch to anonymous alternatives, such as digital blurring or non-personal imagery. Data controllers failing to comply with these guidelines will face administrative fines and legal sanctions under Article 18 of the Law.
Meta Relaunches Threads in Turkey Following Antitrust Approval
The Turkish Competition Authority has approved Meta’s compliance commitments, allowing Threads to relaunch in Turkey after a two-year hiatus. Under the approved framework, users can now choose to create an independent Threads account using only their mobile number. If this option is selected, Meta is prohibited from merging the user’s Threads data with their Instagram data, ensuring full regulatory compliance.
Constitutional Court Judgment on Processing Publicized Data
The Constitutional Court (“AYM”) evaluated a 100,000-TL KVKK fine imposed on a company for using publicly available contact information to make marketing calls. While the Board argued that public data cannot be used outside its original intent, the AYM annulled the sanction, ruling that it violated the principle of legality in crime and punishment. The Court highlighted that penalizing “use outside the purpose of publicization” is not explicitly or predictably defined within the text of the Law itself but was instead improperly based on the regulatory authority’s guidelines.
Importantly, the AYM clarified that this decision does not mean personal data on the internet can be freely exploited. Using visible contact information for commercial purposes does not automatically become lawful, the original context, intent of publicization, and processing purpose remain legally binding. The ruling strictly establishes that administrative penalties must be clearly grounded in statutory law.
Data Breach Notifications- July 2026:
|
Data Controller / Sector |
Affected Data Subjects |
Affected Personal Data Categories |
Number of Data Subjects |
|
Udemy Inc. / Education |
Customers and potential customers |
Name, surname, phone number, email address, and address information |
Approximately 12,000 individuals. |
|
Beyoğlu Çikolata Sanayi Ticaret Anonim Şirketi / Food |
Customers, potential customers and employees |
Identity, communication, personnel, customer transaction, financial, professional experience, marketing, and health information |
Due to the data controller’s inability to access the data and the absence of physically stored data, the number of individuals affected by the breach cannot be determined at this stage. |
|
Tempo Makina Pazarlama A.Ş. / Machinery |
Employees, customers and potential customers |
Identity, communication, location, personnel, customer transaction, financial, professional experience, marketing, audio/ visual records, racial and ethnic origin, health information, and biometric data |
Not yet determined. |
|
Mepa Aktif Elektrik Pazarlama Sanayi ve Ticaret A.Ş / Electricity |
The groups of data subjects who may have been affected by the breach cannot be determined with certainty at this stage; however, considering the company’s operations and based on the results of the upcoming technical investigation, it is evaluated that certain personal data belonging to employees, former employees, employee candidates, customers, suppliers, business partners, authorized persons/representatives, and third parties in a commercial or legal relationship with the company may have been affected. |
Could not be determined with certainty |
At the current stage, the groups of data subjects who may have been affected by the breach cannot be determined with certainty. |
|
Data Controller / Sector |
Affected Data Subjects |
Affected Personal Data Categories |
Number of Data Subjects |
|
Makel Elektrik Malzemeleri San. ve Tic. A.Ş. / Electricity |
The groups of data subjects who may have been affected by the breach cannot be determined with certainty at this stage; however, considering the company’s operations and based on the results of the upcoming technical investigation, it is evaluated that certain personal data belonging to employees, former employees, employee candidates, customers, suppliers, business partners, authorized persons/representatives, and third parties in a commercial or legal relationship with the company may have been affected. |
Could not be determined with certainty |
Not yet determined. |
|
Baltaş Eksen Seçme Değerlendirme Eğitim ve Org. Tic. AŞ / Consulting |
Employees, users, customers, potential customers, and other individuals who are not yet known |
Identity and communication data of users registered to the web application, session and access logs (transaction security), and customer/business partner information within the scope of corporate files located in the SharePoint folder (customer transaction) |
Not yet determined. |
|
Doro Dizayn Teksil Sanayi ve Dış Ticaret Limited Şirketi / Textiles |
Employees and users |
Transaction security, risk management, finance, and marketing data |
Between 1 and 10,000 |
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.