{"id":2239,"date":"2026-06-03T06:59:00","date_gmt":"2026-06-03T06:59:00","guid":{"rendered":"https:\/\/fepartners.com.tr\/?p=2239"},"modified":"2026-06-03T07:02:20","modified_gmt":"2026-06-03T07:02:20","slug":"turkish-data-protection-board-biometric-data-attendance-tracking-principle-decision","status":"publish","type":"post","link":"https:\/\/fepartners.com.tr\/en\/turkish-data-protection-board-biometric-data-attendance-tracking-principle-decision\/","title":{"rendered":"The Turkish Data Protection Board Issued a Principle Decision on the Processing of Biometric Data for Attendance Tracking Purposes"},"content":{"rendered":"\n

Recent Development<\/strong><\/p>\n\n\n\n

The Turkish Data Protection Board\u2019s (\u201cBoard<\/strong>\u201d) principle decision dated 29 April 2026 and numbered 2026\/921 on the Processing of Biometric Data for Attendance Tracking Purposes (\u201cPrinciple Decision<\/strong>\u201d) was published in the Official Gazette dated 2 June 2026 and numbered 33268.<\/p>\n\n\n\n

In the Principle Decision, the Board evaluates the reports and complaints submitted to the Authority regarding the use of biometric recognition systems for the purposes of digitising employee attendance tracking and enhancing security.<\/p>\n\n\n\n

What Does the Decision Say?<\/strong><\/p>\n\n\n\n

The Board states that biometric data such as fingerprints, facial recognition data, and iris and retina scans constitute a special risk area under personal data protection law, given their sensitive nature and irreversible character. The Principle Decision also refers to the definition of biometric data under the General Data Protection Regulation (\u201cGDPR<\/strong>\u201d), recalling that such data are personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that person.<\/p>\n\n\n\n

The Board underlines that, while Labour Law No. 4857 and the relevant secondary legislation contain provisions requiring the tracking and documentation of working hours, there is no regulation that explicitly provides for attendance tracking by biometric means.<\/p>\n\n\n\n

In connection with this finding, the Board evaluates the legal grounds for processing special categories of personal data set out under Article 6(3) of the Personal Data Protection Law No. 6698 (\u201cLaw<\/strong>\u201d) within a two-stage analytical framework in the context of attendance tracking.<\/p>\n\n\n\n

In the first stage, the Board finds that the legal grounds set out under subparagraphs (b) through (g) \u2014 most notably subparagraph (b), \u201cexpressly provided for by law\u201d \u2014 do not apply to biometric data processing activities carried out for attendance tracking purposes. As there is no statutory basis specifically permitting biometric data processing for attendance tracking, the condition under subparagraph (b) cannot be met; similarly, the conditions required under the remaining subparagraphs are not satisfied in respect of this activity.<\/p>\n\n\n\n

In the second stage, the Board finds that subparagraph (a), \u201cexplicit consent\u201d \u2014 the ground commonly relied upon in practice \u2014 does not in itself constitute a sufficient legal basis. Whether an employee genuinely has the ability to withhold or withdraw consent is seriously questionable given the structural power imbalance inherent in the employer-employee relationship. Furthermore, the possibility of withdrawing consent directly undermines the continuity and operability of the biometric identification system. The Board therefore concludes that explicit consent cannot be regarded as freely given in this context and, accordingly, does not constitute a valid legal ground.<\/p>\n\n\n\n

The Board also conducts an independent proportionality assessment under Article 4 of the Law, separately examining the suitability of the method for the purpose pursued, whether less intrusive alternatives have been exhausted, and the extent of the interference. The availability in practice of alternatives such as card or PIN-based systems, traditional signature and paper-based attendance records, RFID\/NFC identity cards, and manual entry under supervisory oversight makes it clear that biometric data processing is not necessary. The Board therefore concludes that biometric data processing for attendance tracking purposes would fail to satisfy the proportionality criterion even where valid explicit consent has been obtained.<\/p>\n\n\n\n

Conclusion and Practical Implications<\/strong><\/p>\n\n\n\n

The Board concluded that the processing of biometric data for attendance tracking purposes cannot be grounded on any of the legal grounds for processing special categories of personal data set out under Article 6 of the Law, and that reliance on explicit consent does not constitute a sufficient legal basis due to the power imbalance inherent in the employer-employee relationship and the revocability of consent. The Board further found that biometric data processing violates the proportionality principle under Article 4 of the Law, regardless of whether valid explicit consent has been obtained.<\/p>\n\n\n\n

In this respect, data controllers should promptly consider the following steps:<\/p>\n\n\n\n