Workplace privacy issues, especially those relating to the privacy of employees’ communications, have been a major issue for both employment and privacy law practitioners.
Recently, concerns have become exacerbated by the ubiquitous use of electronic communication technologies and initiatives such as “Bring Your Own Device” policies which allow employees to use their own electronic devices for work. The operational requirements of multinational organizations which force them to transfer data to overseas entities can magnify the problems. These developments and requirements have significantly increased employers’ access to their employees’ personal data, whether intentional or unintentional. As a result, employers have increasingly had the opportunity, and at times the misfortune, to collect and process their employees’ personal data.
Until recently, Turkey only had a limited number of laws directly applicable to workplace privacy issues. These laws were unclear and dispersed among various codes and regulations, making them inconsistent and sometimes incoherent. Thus, they fell short of addressing the legal questions that the employers’ practices posed. In most cases, it was the Turkish Supreme Court which filled in this gap. In fact, for many years the decisions handed down by the chambers of the Supreme Court in charge of labor disputes have proved to be the only useful guidance for workplace privacy questions. With the April 7, 2016, adoption and October 7, 2016, entry into force of the Law on the Protection of Personal Data (LPPD), however, things will undoubtedly start to change.
Like the Turkish Constitution, the LPPD requires organizations to obtain the explicit consent of individuals before they can process those individuals’ data. Obtaining explicit consent, however, is easier said than done. This is because consent is valid only if it is given freely, which is hard to achieve in the context of workplace privacy. Luckily for employers, and similar to EU legislation, the LPPD provides certain exceptions on which employers can rely to process employees’ personal data for which they were unable to collect explicit consent or where the consent that was collected may be deemed invalid.
The first and foremost exception many employers rely on is where processing is permitted by law. Employment legislation will therefore be an important source for processing activities. Employment contracts and other legal obligations of employers will also likely be popular exceptions for employers. Likewise, one of the exceptions for processing data in the absence of explicit consent that will be most commonly used will allow data controllers to process data for their own legitimate interests. A hindrance is that these exceptions apply only to the processing of non-sensitive personal data. To process sensitive personal data, such as criminal history and genetic and biometric data, employers are required either to obtain the explicit consent of employees or to base their processing activities on a specific law. Obviously, this will be highly impracticable and nearly impossible for some employers.
In addition to those related to consent, there are other rules which employers must observe in their processing operations. These include notifying employees of processing activities and maintaining a mechanism through which employees can exercise their rights of access to their personal data. These are also expected to give rise to significant issues, such as how notifications will be made and how employees can exercise their rights during an internal investigation conducted for compliance purposes.
As is evident, the LPPD creates more questions than it answers. At this stage, it is uncertain how the LPPD will mesh with requirements under other laws. Moreover, since the LPPD only sets forth the general rules, it will be necessary to consider the case law in Turkey – the approach of the Turkish Constitutional Court and the Supreme Court in particular – in order to decide how employers must comply with these rules in practice. In this scope, the main issue is how employers will create a balance between business management judgment and the right to privacy and freedom of communication which are guaranteed under the Constitution of the Republic of Turkey. The striking of this balance will mitigate the risk of violation of these fundamental rights and place employers on the safe side.