Recent Development

The Turkish Data Protection Board’s (“Board”) principle decision dated 29 April 2026 and numbered 2026/921 on the Processing of Biometric Data for Attendance Tracking Purposes (“Principle Decision”) was published in the Official Gazette dated 2 June 2026 and numbered 33268.

In the Principle Decision, the Board evaluates the reports and complaints submitted to the Authority regarding the use of biometric recognition systems for the purposes of digitising employee attendance tracking and enhancing security.

What Does the Decision Say?

The Board states that biometric data such as fingerprints, facial recognition data, and iris and retina scans constitute a special risk area under personal data protection law, given their sensitive nature and irreversible character. The Principle Decision also refers to the definition of biometric data under the General Data Protection Regulation (“GDPR”), recalling that such data are personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that person.

The Board underlines that, while Labour Law No. 4857 and the relevant secondary legislation contain provisions requiring the tracking and documentation of working hours, there is no regulation that explicitly provides for attendance tracking by biometric means.

In connection with this finding, the Board evaluates the legal grounds for processing special categories of personal data set out under Article 6(3) of the Personal Data Protection Law No. 6698 (“Law”) within a two-stage analytical framework in the context of attendance tracking.

In the first stage, the Board finds that the legal grounds set out under subparagraphs (b) through (g) — most notably subparagraph (b), “expressly provided for by law” — do not apply to biometric data processing activities carried out for attendance tracking purposes. As there is no statutory basis specifically permitting biometric data processing for attendance tracking, the condition under subparagraph (b) cannot be met; similarly, the conditions required under the remaining subparagraphs are not satisfied in respect of this activity.

In the second stage, the Board finds that subparagraph (a), “explicit consent” — the ground commonly relied upon in practice — does not in itself constitute a sufficient legal basis. Whether an employee genuinely has the ability to withhold or withdraw consent is seriously questionable given the structural power imbalance inherent in the employer-employee relationship. Furthermore, the possibility of withdrawing consent directly undermines the continuity and operability of the biometric identification system. The Board therefore concludes that explicit consent cannot be regarded as freely given in this context and, accordingly, does not constitute a valid legal ground.

The Board also conducts an independent proportionality assessment under Article 4 of the Law, separately examining the suitability of the method for the purpose pursued, whether less intrusive alternatives have been exhausted, and the extent of the interference. The availability in practice of alternatives such as card or PIN-based systems, traditional signature and paper-based attendance records, RFID/NFC identity cards, and manual entry under supervisory oversight makes it clear that biometric data processing is not necessary. The Board therefore concludes that biometric data processing for attendance tracking purposes would fail to satisfy the proportionality criterion even where valid explicit consent has been obtained.

Conclusion and Practical Implications

The Board concluded that the processing of biometric data for attendance tracking purposes cannot be grounded on any of the legal grounds for processing special categories of personal data set out under Article 6 of the Law, and that reliance on explicit consent does not constitute a sufficient legal basis due to the power imbalance inherent in the employer-employee relationship and the revocability of consent. The Board further found that biometric data processing violates the proportionality principle under Article 4 of the Law, regardless of whether valid explicit consent has been obtained.

In this respect, data controllers should promptly consider the following steps:

• Data controllers that track attendance by fingerprint, facial recognition or similar biometric methods should reassess the legal basis of their existing systems.
• Biometric systems should be replaced by less intrusive alternatives, such as card or PIN-based systems, RFID/NFC identity cards, traditional signature or paper-based attendance records, or manual entry under supervisory oversight.
• Continuing to operate the existing system on the basis that “the employee’s explicit consent has been obtained” is an approach that the Board has expressly rejected and does not eliminate enforcement risk.
• Internal policy documents and employee notification processes should also be updated in line with the Principle Decision.