The Principle Decision On The Processing Of Biometric Data For Employee Attendance Tracking Has Been Published

On 2 June 2026, the Personal Data Protection Authority (the “Authority”) published the “Principle Decision on the Processing of Biometric Data for Employee Attendance Tracking” (the “Principle Decision”). The Principle Decision indicates that institutions and organizations are increasingly resorting to biometric recognition systems in order to digitalize employee attendance tracking and enhance security; however, due to the sensitive nature of biometric data and the structural imbalance of power in the employer-employee relationship, such data processing activities must be assessed not only in terms of legal basis, but also in terms of the general principles set out under Article 4 of the Personal Data Protection Law No. 6698 (the “Law”).

The key points highlighted in the Principle Decision are summarized below:

• Biometric data constitutes special categories of personal data, which are exhaustively listed under Article 6 of the Law. In this context, for biometric data to be processed, one of the legal grounds for processing specified in Article 6 of the Law must be present.

• Fingerprints, facial recognition, iris and retina data are given as examples of physiological biometric data, while voice patterns, signature dynamics and keyboard usage habits are given as examples of behavioral biometric data.

• Although the legislation on the monitoring and documentation of working hours imposes certain obligations on employers, there is no explicit statutory provision requiring employee attendance tracking to be carried out through the processing of biometric data.

• Therefore, it is considered that the processing of biometric data for employee attendance tracking purposes cannot be based on the legal ground of being “explicitly provided by laws”.

• In practice, it is observed that biometric data processing activities for employee attendance tracking purposes are mostly based on the legal ground of explicit consent since biometric data processing activities for the purpose of tracking working hours do not rely on the other processing conditions set forth in Article 6 of the Law. However, due to the imbalance of power in the employer-employee relationship, it is not possible to accept that explicit consent is based on free will.

• The existence of a legal basis alone is not sufficient for biometric data processing activities. The data processing activity must also comply with the general principles set out under Article 4 of the Law, particularly the principle of being related to, limited to and proportionate to the purposes for which they are processed.

• The principle of being related to and limited to the purposes for which they are processed requires that the least intrusive method be preferred in order to achieve the purpose of the personal data processing activity. The Authority has assessed that alternative methods are available in employee attendance tracking processes.

• In terms of the principle of proportionality, the Authority has assessed that the processing of biometric data for a limited administrative purpose such as employee attendance tracking constitutes a disproportionate intervention and is contrary to the principle of proportionality.

• Therefore, less intrusive alternative methods such as encrypted card systems, PIN-based systems, traditional signature and paper-based attendance sheets, RFID/NFC identity cards or manual entry-exit recording under the supervision of an inspector should be preferred in employee attendance tracking processes.

The foregoing matters are considered to fall within the scope of the organisational and technical measures to be taken by data controllers pursuant to the first paragraph of Article 12 of the Law in order to ensure that personal data is processed lawfully, and if non-compliance with these matters is identified, administrative fines may be imposed on data controllers pursuant to Article 18 of the Law.