“Personality rights”, which are the essence of personal data, are set forth in the Personal Data Protection Law no. 6698 and other subordinate legislation, as well as in Article 20 of the Constitution and the Turkish Civil Code No. 4721. At a time when technological developments cannot be followed-up, “personal data protection” has become important due to the fact that the flow of information and data is very easy and uninhibited. In this article, within the scope of the Personal Data Protection Law no. 6698 and also based on art. 75/2 of the Labor Law No. 4857, employers ‘ obligations, as a data controller, to process and protect personal data obtained by them regarding their employees will be evaluated.
You can get legal support from Kılınç Law and Consultancy on ‘Data Protection and Cybercrime’.
Keywords: Employee, Employer, Employment Relationship, Personal Data Protection, Purpose Limitation, and Data Minimization
I. EMPLOYMENT RELATIONSHIP CONCEPT AND EVALUATION IN TERMS OF PERSONAL DATA
The sub-paragraph 1 (one) of the article 2 (two) of the Labor Law No. 4857 (the ”Labor Law“) defines the “employee” as a real person who works on the basis of an employment contract, “employer” as real or legal persons, or unincorporated institutions and entities that employ employees, “employment relationship” as the relationship between the employee and the employer established. If an employee does a job in favor of the employer’s interests within the employer’s business organization, an employment relationship would be deemed as construed.
It should be significantly highlighted that the definition of an employment relationship should be considered in the context of personal data protection in the broadest way, regardless of whether the employee is subject to the Labor Law. In this regard, there is no doubt that trainees, seasonal agricultural employees, apprentices, part-time workers, and candidate employees will also be covered within the scope of the employment relationship and will be the subject of the data.
II. EMPLOYER’S OBLIGATIONS IN TERMS OF DATA PROTECTION LAW
In accordance with the Personal Data Protection Law no. 6698 (“PDPL”), personal data is defined as any information relating to an identified or identifiable real person. In this context, the data such as photos, residence addresses, identification information, telephone information to be included in the employee’s personal file will be considered as personal data and the storage process in question will be considered as personal data processing activity. In this context, it is important to determine the rules for the processing of employee’s personal data, especially taking into account the principle of “purpose limitation and data minimization” Considering the Labor Code and the PDPL together, it would be possible to list the employer’s obligations in the following subheadings due to the rules for processing these data.
⮚ Obligation to Inform
The data subject should be informed in each and any cases where his/her personal data is processed. Within the framework of article 10 (ten) of the PDPL; at the time when personal data are obtained, the data controller in person or the person authorised by him/her is obliged to inform the data subject about the identity of the data controller and of its representative -if any-, the purpose of the processing of personal data, to whom and for which purposes the processed personal data can be transferred, the method and legal basis of the collection of personal data, and other rights referred to in Article 11 (eleven) of the PDPL.
Within the scope of this provision, the employer is obliged to inform the employee and/or employee candidates about for what purpose the employer receives the personal data of both the employee candidates applying for work and its employees, where and how it is stored, for which purposes it will be transferred to whom and how it is used.
⮚ Confidentiality Obligation and Explicit Consent
Pursuant to subparagraph 1 (one) of article 3 (three) of the PDPL the explicit consent shall refer as to “a consent which is specific to a subject, based on being informed and given with free will”, and transfer, submission, and/or share of any information relating to an identified or identifiable natural person within the scope of the PDPL -except for exceptions under the PDPL- shall be subject to the explicit consent obtained. In parallel, as per the provision set forth in subparagraph 2 (two) of article 75 (seventy-five) of the Labor Code states that “the employer is obliged to use the information obtained about the employee in accordance with the goodwill principles and the law and not to disclose the information that the employee has a justified interest in being undisclosed.”, the employer is obliged to store the information obtained as being provided with an explicit consent complying with the PDPL.
On the other hand, it can be possible to transfer the personal data of the employee domestically, as well as cross border transfer in multinational companies. Therefore, employers of companies with employees whose personal data is subject to cross border transfer shall absolutely be obliged to obtain the explicit consent of the employee regarding this transfer within the scope of the PDPL. Another point that should be noted here is that employers, as a data controller, are obliged to check that the country in which they will transfer personal data will provide adequate protection, and otherwise they shall not transfer data.
As per sub-clause (b) of subparagraph 1 (one) of article 5 (five) of the Communique On Principles And Procedures To Be Followed In Fulfillment Of The Obligation To Inform published in the Official Gazette dated 10th of March 2018 and numbered 30356, the obligation to inform and obtaining the explicit consent shall be carried out separately. In other words, the employer shall prepare the “Privacy Notice” and “Explicit Consent Approval” documents to be attached to the employment contract issued and signed between the employee and the employee and include them in the personal file by obtaining the original signature of the employee.
As a general rule, employers as a data officer shall obtain explicit consent when processing and transferring personal data belonging to their employees, although subparagraph 2 (two) of article 5 (five) of the PDPL regulates exceptional cases in which explicit consent is not required to be obtained. Accordingly, the employer will be able to share information about employees with the relevant institutions within the scope of its obligations on matters such as taxes, social security premiums and/or salary payments in order to fulfill its legal obligations.
⮚ Data Protection and Security Measure
As per article 12 (twelve) of the PDPL regarding data security, the data controller is obliged to prevent unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the storage of personal data. The employer, as a data controller, is obliged to ensure the appropriate level of security for the purpose of fulfilling its said obligations. In other words, the employer is obliged to ensure the personal data protection of the employees by taking administrative measures such as drafting the processing and protection of personal data policy; and technical measures such as using a virus protection program, cyber-attack prevention systems.
⮚ Principles of Purpose Limitation and Data Minimization
As a fairly common situation in today’s recruitment procedures and employee-employer relations, a number of data are requested that are not related to the employees’ job definition, their ability and skills about the job, and the information necessary for the execution of the employment contract. Sub-clause (ç) of subparagraph 2 (two) of article 4 (four) of the PDLP accepts the principle of purpose limitation and data minimization as a general principle for personal data processed. For this reason, it shall be adequate to process only the data which is required for the execution and performance of an agreement, enable the continuation of the employment relationship and which is necessary to enable the employer to fulfill its legal obligations arising out of the legislation. For example, if a candidate is asked “whether he/she considers of getting married”, “whether he/she uses tobacco and/or alcohol” and/or “his/her religious, sect” in the recruitment processes, the employer who violates the principle of purpose limitation and data minimization in terms of the PDPL and other legislation may be held liable, as well as sanctions arising from the Labor Code may be imposed.
As a result of the employer’s obligation to comply with the principle of purpose limitation and data minimization, the personal data of employees shall be stored until the end of the statutory period and deleted and/or anonymized at the end of this period. In this context, particularly the resumes of candidates who are not hired should not be stored and should not be shared with other employers unless they have explicit consent.
The fact that personal data which is a contaminant of the technology era is easily accessible, stored, and shared has led to the need for “personal data protection” as a constitutional right. Within the scope of the Labor Code, employers are obliged to use the information obtained about the employee in accordance with the law and goodwill principle; not to disclose it unless the employee has a legitimate interest. The employee’s legitimate interest appears, under data protection legislation, as the explicit consent and the employer’s fulfillment of its legal obligations. In this context, the employer is obliged to inform the employee in all relevant cases while processing, storing and/or transferring personal data belonging to its employees to a third party and to ask for the employee’s explicit consent if necessary. Moreover, the employer should take care not to process personal data that is not necessary for the employment relationship in case of future need, should take into account the principle of purpose limitation and data minimization while processing personal data within the business organization.
SÜZEK, S. (2014), İş Hukuku, Beta Basım Yayım, İstanbul
Data Protection and Cybercrime
Kılınç Law and Consulting provides legal consultancy services to its clients regarding their personal data processing activities....