Regulations on protection of personal data with respect to labour law have existed way before April 7th, 2016 when DPL entered into force although they have been scarce and comprised of mainly frameworks. One of these regulations is article 419 of Turkish Code of Obligations (TCO) which consists of umbrella provisions mostly. According to the article, personal data of a worker may only be processed to the extent that such data is about the work related qualifications of that worker or the processing is necessary for the performance of the labour contract.  Article 75 of Labour Act No. 4857 also stipulates that employers are responsible for preparing a personnel file for each worker containing certain personal data which must be used in compliance with law and principle of good faith, and not disclosed with anyone when the worker’s interests call for it. The reason for the existence of such provisions before DPL was enacted, is the inferior position of the worker in comparison to that of the employer in economic terms and imbalance of powers between these two in all stages of the employer-employee relationship. Practical effects of these regulations have been strengthened with DPL entering into force and protection of personal data of workers and candidates has gained much more significance.  Under DPL, a worker or candidate is the data subject enjoying protection of his/her personal data while an employer is the data controller liable for complying with legal terms and obligations to be able to process such
personal data.  Consequently, the first and one of the most important obligations of the employer pursuant to DPL is to register in the Registry of Data Controllers, in which the employer also has to include such information as identity and address of the employer or its representative, personal data of which group of data subjects shall be processed for what purposes and for how long, safeguards to be taken for security of data and information on possible data transfer.

Pre-Employment Processing of Personal Data 

Let alone the period between the onset and end of the employer-employee relationship, personal data of data subjects start being processed in the first job interview, what is more, these data continue being processed so as to be evaluated later for the same position or other vacancies if the parties, that is the employer and employee, cannot compromise on the terms, hence recruitment is not achieved.   Human Resources department is where the most systematic and intensive processing of personal data takes place in a company at every stage of employment. Since the number of candidates whose personal data are stored by Human Resources department is remarkably greater than that of actual vacancies, companies must attach specific importance to the impact of relevant regulations on recruitment period, prepare data processing policies purely specific to recruitment and take necessary precautions to ensure compliance with law.

General principle for lawful processing of personal data is that explicit consent of candidates, “data subjects” in other words under DPL, must be sought for the processing of their personal data before the processing occurs or during the processing at the very latest, and such data must be processed fairly, transparently and only for lawful purposes. Before seeking for explicit consent, obligation to inform candidates must be fulfilled by explaining them what personal data shall be processed in what ways, for how long, for what purposes, when and how the personal data under processing shall be destroyed and that candidates may request for their data under processing to be rectified or erased within the context of right to be forgotten.       Candidates must be informed about the company’s privacy policy which must be in a clear, easily comprehensible language and about which platforms – digital or physical- their personal data shall be stored in.

The processing of their personal data must be carried out proportionately, in line with and limited to purposes of processing. For instance, a remarkable amount of information irrelevant to the position applied for might be included in resumes presented to the employer by the candidate.  Of all the information given, only such data reasonably connected with the position as those used to determine the candidate’s competency in respect of required qualifications must be stored; even such data must not be processed unless the processing is necessary for the lawful purpose in question.

To put it another way, it should be preferable to process as minimum personal data as possible to achieve the purpose of the company, assessment and recruitment purposes in this case to be specific, so that encountering with an issue under DPL would be much less possible.     These minimum personal data obtained during job interviews must be classified with respect to their being in a special category or not pursuant to DPL which must be complied with also when processing or transferring the data of any category.

Last but not least, in case of contacting with candidates through employment agencies or online job sites, it should be scrutinized and ascertained whether the activities of such entities or platforms conform to the legislation on protection of personal data. The first thing the employer must do is to determine for sure whether candidates have explicitly consented to the sharing of their personal data kept by these agencies and sites with the employer as well as to enter into a contract with these agencies and sites which shall be solely liable for unlawful processing of personal data under such contract just in case they might be processing the personal data of data subjects (employees and candidates).

Practice of DPL During the Establishment and Presence of Employment Relationship

Personal data of employees are processed daily by companies they work for. Apart from such simple information as salaries and sick leaves, processing of personal data also encompasses video surveillance, observation of daily amount of internet use, private e-mail and telecommunication traffic of employees via digital software. At least one of the following legal requirements must be met for such processing to be lawful under DPL article 5:

• The employee has given explicit consent upon being fully informed about the processing of his/her personal data (The obligation to inform shall only be deemed fulfilled after the employee has been told what personal data shall be processed in what way, where/on which platform, for how long and for what purposes as well as that the employee has the right to request rectification, completion or erasure of the personal data where such request has necessary legal grounds.)
• The processing of personal data is necessary for the establishment and/or performance of the labour contract between the employer and the employee
• The processing of certain personal data is a legal liability of the employer explicitly indicated in a legislation or the employer is has to process personal data so as to fulfil some legal obligation
• The processing of personal data is in the employee’s best interests, or necessary for enabling the employee to obtain or exercise a right or protecting his/her rights
• The employee has publicised his/her personal data
• The processing of personal data is in the employer’s best interests and such processing does not violate the fundamental rights and freedoms of the employee

Since validity and effect of the explicit consent of the employee would be questionable due to the employee’s dependency on the employer in economic terms and imbalance of powers between these, the employer had better base the processing of personal data on other legal grounds mentioned above when possible. It would especially be an unreasonable assumption to think the employee would consent to visual monitoring/or audio recording at work, observation of his/her e-mail and telecommunication traffic. Besides, such measurements must be the last options to consider due to principle of processing being in conformity with and limited to the lawful purpose and proportionate.  Therefore, such processing would be illegal as an act against the principle of proportionality unless there is no other efficient means to achieve the purpose in question.

Article 75 of Labour Act No. 4857 which stipulates that employers are responsible for preparing a personnel file for each employee, constitutes a proper example of legal liabilities of employers. However, for the personal data to be included in these personnel files are not numerus clausus, namely not limited by any legislation, general principles under DPL article 4 mustn’t be ignored while determining what personal data to process within these files and in case of ambiguity, explicit consent of the employee must be sought just in case.

Although it is a common practice among employers to insert a clause in the employment contract indicating the employee’s explicit consent to the processing of his/her personal data, it is improbable to assess the employee’s approval by signing this contract as explicit consent since the most significant feature of explicit consent is its nature of being given with a free will and it cannot be expected fro m the employee to act with his/her free will at the stage of entering into an employment contract where imbalance of powers between the employer and the employee is at its most apparent.

Moreover, for overseas transfer of personal data is subject to stricter and more specific terms under DPL, foreign companies with an establishment in Turkey either must obtain further consent of the employee which must be given explicitly so that they can transfer the employee’s personal data to one of their establishments abroad or, if the transfer is based on other legal grounds under DPL, must ensure the establishment abroad has sufficient safeguards for protection of personal data and take a guarantee letter from the said establishment if necessary.

Termination of Employment Relationship

Based on the explicit consent of the employee or other above mentioned legal grounds, certain personal data may continue to be stored even if the employer-employee relationship somehow ends. A textbook example of processing of personal data after the employment terminates might be non-compete agreement for the performance of which personal data of an ex-employee may continue to be processed. Apart from that, since a lawsuit might be filed due to a dispute arising from terminated employment between the employer and the ex-employee, legitimate interest of the employer justifies the processing of the ex-employee’s personal data until lapse of time and other time limits for any claim are reached.    Moreover, the employer may be required by any law to store certain information of the previous employee for some time even if the employment relation ends.

However, since there will be no grounds for the processing of personal data when such justified reasons and legal liabilities lose validity, the employer is obligated to erase, destroy or anonymise the data pursuant to DPL article 7, either automatically or upon the request of the previous employee.  The personal data shall be presumed to have been anonymised only if these data have been changed in such a way that the data is no longer eligible alone or jointly with other data to detect the person these data belong to.

In case of failure to erase or anonymise personal data of the employees even after legal grounds for the processing of personal data under DPL article 7 disappear, the employer may be subject to criminal proceedings pursuant to Turkish Criminal Code, article 138 which sets forth imprisonment up to two years.

Failure to fulfil the obligation to inform the data subject in cases of seeking explicit consent, to ensure the security/privacy of personal data of the employee and to register in Data Controllers’ Registry have been stipulated as misdemeanors under DPL article 18, leading to such fines as 5.000 TL to 100.000 TL in case of failure to fulfil the obligation to inform; 20.000 TL to 1.000.000 TL in case of failure to register in Data Controllers’ Registry; and 15.000 TL to 1.000.000 TL in case of failure to ensure the security/privacy of personal data.