Turkish Data Protection Board issues new Decision regarding employee personal data
In a decision dated 19 March 2021 (the “Decision”), the Turkish Personal Data Protection Board (the “Board”) imposed an administrative fine of TRL 250,000 (approximately EUR 26,500) against an employer (data controller) following a complaint from an employee (data subject).
The employee alleged that the employer:
- did not provide the necessary information for the processing and storage of the personal data;
- made it obligatory for all employees to provide their fingerprint data, but did not fulfil its obligation to inform and obtain explicit consent in this regard;
- did not provide necessary information concerning the conditions for the transfer to a third-party and storage of the biometric data.
In its defence, the employer stated that it:
- specified in the explicit consent text the purpose of (i) data processing and (ii) data transfer, and explained the data collection methods and data subjects’ rights;
- received explicit consent (wet signatures) from its employees;
- used the fingerprints of its employees for the purposes of emergency management, physical facility security and for the provision of information to authorised institutions;
- stored the fingerprints via a cryptographic method, and that they are therefore no longer biometric data.
What did the Board say?
In its decision, the Board assessed the employer’s obligation to inform and whether or not the received explicit consent is sufficient. The Board also cited the proportionality principle in relation to the processing of fingerprint data and stated that the use of cloud systems located outside of Turkey would be deemed as a transfer of personal data abroad.
Employee obligation to inform
The Board states in its Decision that the obligation to inform is a requirement that data controllers are obliged to fulfil before starting any data processing activity, regardless of whether the data processing activity is based on explicit consent or not. The Board also highlights that the burden of proof regarding the fulfilment of this obligation belongs to data controllers.
Under Turkish Personal Data Protection Law (the “Law”) law, data controllers must separately fulfil the obligation to inform and obtain explicit consent in cases where the explicit consent of data subjects is required for a data processing activity. In the case in question, the employer used the “Consent for Employee on Personal Data Processing” as both the clarification text and for the employee’s explicit consent. For this reason, the Board concluded that such text is in contradiction to the Law.
In its Decision the Board underlines the general criteria of explicit consent as follows: (i) it must relate to a specific matter; (ii) it must be made based on the provision of the relevant information; and (iii) it must be declared by free will. In its Decision, the Board highlights the importance of free will, especially in cases where the parties are unequal, such as in an employee-employer relationship. In the case in question, the Board emphasises that the employer deems an employee’s personnel file to be incomplete if an employee does not give explicit consent. This manner of implementation harms the principle of free will and thus is in contradiction to the Law.
The Board also states that an employee cannot submit explicit consent on behalf of her partner or children and that any such explicit consent is invalid. In its Decision the Board also characterised as ambiguous the information provided by the employer on the personal data to be processed and transferred to third parties, stating that the complex structure of the employer’s explicit consent is in contradiction to Law.
In terms of fingerprint data, in its Decision the Board states that fingerprint data stored using the so-called “hashing method” remains biometric data, and thus the Board rejected the arguments of the employer that fingerprint data stored via a cryptographic method loses the character of biometric data. For this reason, the data controller must obtain the explicit consent of the data subjects to process fingerprint data, as such data is considered sensitive data under the Law.
In its defence, the employer stated that they had processed employee fingerprints for emergency management, physical facility security, and to provide information to authorised institutions. However, in its Decision the Board states that the employer could ensure physical facility security and achieve other targeted purposes with alternative means, such as a magnetic card system, RFID tag, or by entering an SMS code via mobile phone instead of scanning fingerprints at workplace entry points. In this respect, the Board evaluates the employer’s implementation as a violation of the proportionality principle.
Personal Data in cloud systems
The Board refers to its earlier decision on the use of the G-mail system and accordingly states that a storage service receiving personal data from a data controller/data processor constitutes the transfer of personal data abroad if the server is located outside of Turkey.
In its Decision the Board determines that the employer transfers personal data outside of Turkey and underlines that a data controller may transfer personal data abroad only if:
(i) the data subject has provided its explicit consent; or
(ii) the third country provides adequate protection for personal data (the Board has not yet provided the list of countries that provide adequate protection); or
(iii) the importing and exporting data controllers provide written undertakings to adequately protect personal data, and the approval of the Board is received.
The Board decided that in the case in question the employer had violated the Law as it did not comply with the above-mentioned legal grounds for the transfer of personal data abroad.