In the decision numbered 2018/11988, dated 10 March 2022 and published in the Official Gazette on 19 April 2022, the General Assembly of the Constitutional Court of the Republic of Turkey ruled that the right to protection of personal data in the context of the right to privacy is violated by the collection of fingerprint data from employees for workplace surveillance purposes.
The fingerprint of the claimant, a civil servant of Söke Municipality, was collected and processed by the municipality in order to record the claimant working hours. The claimant argued that fingerprints are personal data that allow for the physical identification of an individual and filed an objection to this data processing system with the municipality. After the municipality rejected the objection, the claimant filed a lawsuit with the Administrative Court of First Instance in order to have the municipality's objection overturned. The Administrative Court of First Instance upheld the action and overturned the objection. The municipality appealed.
At the appeal stage, the Regional Court of Appeal overturned the decision of the Administrative Court of First Instance on the grounds that the use of technological systems by public institutions to facilitate the effective and efficient delivery of public services is in line with the public interest and the needs of the service. The claimant then applied to the Constitutional Court with an individual complaint.
The Constitutional Court emphasised that there are a limited number of special categories of personal data and that their processing is subject to stricter conditions than those of general categories of data. The "fingerprint" is a special category because it is biometric data containing physiological information that belongs only to a single person and can help to directly determine the identity of the person. Therefore, such data may not be processed:
without the explicit consent of the person concerned;
unless the conditions of the Personal Data Protection Law are met; or
without any other explicit legal provision.
In this particular case, the Constitutional Court found that none of the above conditions were met.
According to the decision, in order to implement applications such as personnel tracking systems that work with the collection of biometric data, the following conditions should be met under the supervisory and administrative powers of a state institution:
the existence of a legitimate objective;
the absence of any other appropriate method that is less intrusive on rights and freedoms to achieve the objective; and
the implementation of the application is limited to the achievement of this objective.
Currently, Turkish law does not allow institutions to collect employees' fingerprints in order to track their working hours in systems (as described above) without the employees' explicit consent. Therefore, even in workplaces that are considered government facilities, the "explicit consent" of employees must be obtained, as biometric data cannot be collected from employees without such consent or other explicit legal provision, thus fulfilling the conditions of the Personal Data Protection Law.
For more information on data protection laws in Turkey, please contact your CMS client partner or local CMS experts: Sinan Abra