Duyurular

Principle Decision of the Turkish Personal Data Protection Board on the Processing of Biometric Data for Attendance Tracking Has Been Published

The Turkish Personal Data Protection Board (“Board”) published its Principle Decision No. 2026/921 dated 29 April 2026 on the Processing of Biometric Data for Attendance Tracking (“Principle Decision”) in the Official Gazette dated 2 June 2026 and numbered 33268.

The Principle Decision addresses, in summary, the following issues:

  • The Board evaluated the use of fingerprint recognition, facial recognition, iris scans, retinal scans, and similar biometric identification systems for employee attendance tracking from the perspective of personal data protection law.
  • It was emphasized that biometric data constitute special categories of personal data under the Turkish Personal Data Protection Law No. 6698 (“Law”) and involve significant risks, as such data cannot be altered or revoked if compromised.
  • Although employers have an obligation to monitor and document working hours, the Board stated that there is no explicit legal provision requiring or permitting attendance tracking through the processing of biometric data. Therefore, such processing cannot be based on the legal ground that it is “expressly provided for by law.”
  • The Board highlighted the imbalance of power inherent in the employer–employee relationship and noted that, given the potential adverse consequences employees may face if they refuse consent, serious doubts arise as to whether consent can genuinely be regarded as freely given.
  • It was further concluded that, even where explicit consent is obtained from employees, the processing of biometric data for an administrative purpose such as attendance tracking would not satisfy the principle of being relevant, limited, and proportionate to the purpose as required under the Law, considering the intensity of the interference with individuals’ rights.
  • The Board ruled that less intrusive alternatives should be preferred for attendance tracking purposes, such as password-protected card systems, PIN-based systems, traditional signature sheets, paper-based attendance records, RFID/NFC identification cards, or manual registration under supervisor oversight.
  • The Board also announced that data controllers found not to be acting in compliance with the administrative and technical requirements set out in the Principle Decision may be subject to administrative sanctions pursuant to Article 18 of Law No. 6698.

You can access the full text of the Principle Decision here.