02June2026

DPA Principle Decision: Processing of Biometric Data for Employee Attendance Tracking

With the Principle Decision on the Processing of Biometric Data for Attendance Tracking Purposes, dated April 29, 2026 and numbered 2026/291, published in the Official Gazette dated June 2, 2026 and numbered 33268 (the "Decision"), the Personal Data Protection Board emphasized that the increasing use of biometric identification systems (such as fingerprint, facial recognition, and iris/retina scanning) for the digitalization and security of employee attendance tracking must comply not only with a valid legal basis, but also with the principles of proportionality, necessity, and data minimization, given that biometric data constitutes special category personal data and possesses an irreversible nature.

The Decision reiterates that biometric data is classified as a special category of personal data under the Turkish Personal Data Protection Law No. 6698 (the "Law") and is therefore subject to a stricter protection regime. The Board emphasized that biometric data poses significant risks to data subjects due to its sensitive and irreversible nature, and referred to the definitions of biometric data under both Turkish legislation and the European Union General Data Protection Regulation ("GDPR"), noting that data such as fingerprints, facial recognition data, iris/retina scans, voice patterns, and similar identifiers fall within this category. In this context, the Board underlined that the processing of special category personal data is only permissible where one of the legal grounds set out in Article 6 of the Law applies, and that data controllers are also required to implement the additional security measures prescribed by the Board.

The Decision further highlights that, pursuant to the Turkish Labour Law No. 4857 and the Regulation on Working Hours under the Labour Law, employers are required to monitor and document employees' working hours; however, there is no legal provision that explicitly requires or authorizes the fulfilment of this obligation through the processing of biometric data. Accordingly, the Board concluded that the processing of biometric data for attendance tracking purposes cannot be based on the legal ground of being "explicitly provided for by law" under Article 6 of the Law. The Board also noted that, due to the inherent imbalance of power in the employer-employee relationship, there may be doubts as to whether an employee's consent can truly be regarded as freely given, and therefore explicit consent alone may not constitute a sufficient legal basis for such processing activities.

In addition, the Board referred to the Constitutional Court General Assembly's decision dated March 10, 2022 (Application No. 2018/11988), as well as the Council of State 12th Chamber's decision numbered 2021/3870 E. and 2023/2548 K., and the subsequent decision of the Council of State Administrative Chambers Assembly numbered 2024/225 E. and 2024/2625 K., which upheld that ruling. These decisions similarly emphasized that attendance tracking practices based on biometric systems, such as fingerprint and palm vein recognition technologies, must be assessed in light of the principles of legality, necessity, and proportionality. In line with this established case law, the Board noted that the use of biometric data for attendance tracking purposes may give rise to legal concerns under the principle that personal data must be processed in a manner that is relevant, limited, and proportionate to the purpose for which it is processed, particularly where less intrusive alternatives are available.

Particularly in light of the relevant Decision, it has been assessed that:

Although the legislation contains provisions regarding the monitoring of working hours, there is no explicit legal provision regulating how such monitoring should be carried out or requiring it to be conducted through the processing of biometric data. Therefore, under the current legal framework, it cannot be accepted that the processing of biometric data for this purpose is based on the legal ground that it is "explicitly prescribed by law".
Accordingly, in activities involving the processing of biometric data for attendance and working time tracking purposes, none of the processing conditions set out under subparagraphs (b), (c), (ç), (d), (e), (f), and (g) of Article 6(3) of the Law are deemed applicable. For this reason, such processing activities have generally been based on the explicit consent condition under subparagraph (a). However, due to the imbalance of power inherent in the employer–employee relationship, there are doubts as to whether such consent can truly be regarded as freely given, and therefore explicit consent alone does not constitute a sufficient legal basis.
The principle of proportionality is an important criterion in assessing personal data processing activities. Even where the data subjects have provided explicit consent, the processing of biometric data for attendance tracking purposes would fail to satisfy the proportionality requirement set forth under the general principles of Article 4 of the Law, particularly where alternative and less intrusive methods are available.

It has therefore been concluded that the processing of biometric data for attendance and working time tracking purposes is carried out without reliance on any of the legal grounds set out in Article 6 of the Law. Furthermore, even where valid explicit consent has been obtained, such processing activity would not satisfy the proportionality requirement under the general principles set forth in Article 4 of the Law. Accordingly, it has been expressly emphasized that attendance and working time tracking should be conducted through alternative methods rather than biometric identification systems, such as password-protected card or PIN-based systems, traditional signature and paper-based attendance records, RFID/NFC identification cards, or manual entry under supervisor oversight.

Within this framework, it has been determined that the above-mentioned measures constitute administrative and technical safeguards that data controllers are required to implement pursuant to Article 12(1) of the Law in order to ensure the lawful processing of personal data. It has further been decided to inform the public that, where it is determined that data controllers fail to comply with these requirements, actions and sanctions may be imposed pursuant to Article 18 of the Law.

You may access the full text of the Principle Decision here. (In Turkish)

Author Taylan Ege Günel, Category Personal Data Protection Law

Notification!

The content in this article is for general information purposes only and belongs to CottGroup^® member companies. This content does not constitute legal, financial, or technical advice and cannot be quoted without proper attribution.

CottGroup^® member companies do not guarantee that the information in the article is accurate, up-to-date, or complete and are not liable for any damages that may arise from errors, omissions, or misunderstandings that the information may contain.

The information presented here is intended to provide a general overview. Each specific case may require different assessments, and this information may not be applicable to every situation. Therefore, before taking any action based on the information provided in the article, it is strongly recommended that you consult a competent professional in the relevant fields such as legal, financial, technical, and other areas of expertise. If you are a CottGroup^® client, do not forget to contact your client representative regarding your specific situation. If you are not our client, please seek advice from an appropriate expert.

To reach CottGroup^® member companies, click here.