Turkey’s Data Protection Law, which was published in the country’s Official Gazette on April 7, 2016, established the legal framework for the protection of personal data in Turkey and added new obligations for employers.
Employers collect and use the personal data of potential, present, and former employees for various purposes, including recruitment, salary, personnel files, sickness records, and appraisals. Employers also have to collect employee data to comply with obligations set forth under Turkey’s Labor Law. Indeed, when dealing with employees’ personal data, employers should always consider the requirements of the Labor Law that may apply to the situation. For instance, Article 75 of the Labor Law provides that employers may not disclose information belonging to an employee if it is in that employee’s interest for the information to remain confidential. This provision also sets out that employers should use employees’ personal data in good faith and in accordance with other applicable laws.
Processing Special Categories of Employee Data
With the collection and processing of certain special categories of employee data, employers must ensure that they fall within one of the exceptions specified in Article 6 of the Data Protection Law. The first of the exceptions involves the explicit consent of the individual. This option should be an employer’s last resort due to the potential difficulties in obtaining the valid consent of an employee in an employer-employee relationship. According to Q&A published by the Data Protection Board, consent should be given by a clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of the data subject.
Storing Personal Records of Employees
Employers start collecting details about employees from the moment they first apply for a position. Although records relating to employees can cover a broad range of activities, they should not be retained for longer than necessary. During the period of employment, employers have legitimate reasons to retain employees’ data – but once the employment is concluded, such reasons are likely to disappear (except in certain situations, such as a pending lawsuit between the parties).
Indeed, the Labor Law requires employers to retain employee data, with obligations also arising under company law, tax law, and health and safety law. However, once an employee has left, the employer should generally limit access to his/her records before they are erased. In these circumstances, data on former employees that must be retained should be securely archived and protected via limited access.
Employees do not lose their right to privacy in the workplace. However, this right to privacy is balanced against the legitimate rights of employers to operate their businesses and protect their companies or other employees.
Background checks represent a useful example of a conflict between the interests of employees and employers. Background checks on potential and existing employees are becoming ever more common. One of the reasons for this increase is the increasing awareness that data breaches frequently derive from the unethical and illegal activities of employees, rather than from technical vulnerability.
Background checks can operate on a range of levels, from checking people’s status on social networking websites to verifying their educational backgrounds to checks on past criminal activity. An employer must be careful not to compile blacklists as part of its background checking procedure or to identify individuals that it will not employ. Blacklists are a significant intrusion into a person’s privacy and are generally illegal.
The Data Protection Law came into force later than expected, but it has since spread far and wide in both the IT and legal sectors. Companies – who were already complaining about the high volume and low success rate of labor disputes – now have a brand new front to consider, potentially exposing them to even greater risks than labor lawsuits, and thus have an urgent need to carefully assess their current HR-related processing activities and identify the gaps with the Data Protection Law. Based on the results of this gap analysis, they will need to improve or create new procedures and implement the required mechanisms to comply with the law’s obligations.
By Efe Kinikoglu, Partner, and Ipek Asikoglu, Associate, Moral Law Firm
This Article was originally published in Issue 4.12 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.