What is the impact of the Personal Data Protection Law (KVKK) on Payroll Outsource Process?
In Türkiye, the most significant step towards the protection of personal data is the Personal Data Protection Law (KVKK ) numbered 6698 which entered into force after its publication in the Official Gazette dated April 7, 2016. The law includes provisions that grant time period to the real persons whose data are processed and the natural and legal persons who process such data, until April 7, 2018 for conducting compliance with the law. Similarly, the European Union General Data Protection Regulation (GDPR) entered into force on May 25, 2018 and constituted an important stage in the improvements made towards protection of personal data in Europe.
Sanctions and Actors
Although the aggravated penal sanctions introduced by both of the laws (GDPR and KVKK) and the environmental legislations force organizations to be compliant with the relevant requirements, many organizations are yet to take the required steps. The informative meetings held in a number of cities in our country, Türkiye, including in particular Istanbul and Ankara, have been considered by some companies and public institutions as an opportunity in their digitalization processes. On the other hand, the imprisonment penalties stipulated in KVKK draw the attention to the administrative and technical measures. For instance, it stipulates imprisonment of up to 2 years for failure to destroy the personal data within the specified time (non-compliance with the retention periods) and imprisonment of 1 – 3 years in case of unlawful recording of the personal data is conducted. The most aggravated sanction in the Law, on the other hand, is regarding unlawful transfer, disclosure or reveal of personal data by others, which stipulates 2 – 4 years of imprisonment. Thus, the fines defined in KVKK are also extremely high; the monetary sanctions set forth for 2019 are up to 100,000 TRY in case of failing the obligation of disclosure duty, and up to 1,000,000 TRY in case of breach of the obligation of registration and notification to the data controllers’ register. (The calculation for 2019 should be made by making an increase as per the revaluation rates) At the same time, instances of legal non-compliance with GDPR may lead to fines of up to 4% of the relevant entity’s global turnover in the previous year, or 20,000,000 EUR.
When we look at the parties that are defined similarly in both of the laws, the data subject, data controller and data processor appear to be the significant actors. One of the operational business processes where all these three actors come together happen to be the payroll outsourcing process. Article 3 of KVKK defines these actors as follows:
- Data Subject: The natural person whose data is processed acts as the owner of the data in practice. It is called Data Subject in GDPR.
- Data Controller: Natural or legal person who determines the purposes and means of the processing of Personal Data, and who is responsible for establishment and management of the data recording system. It is called Data Controller in GDPR.
- Data Processor: Natural or legal person who processes the personal data on behalf of and based on the authority granted by the data controller; It is called Data Processor in GDPR
Historical Development of Payroll Outsource Services and Sarbanes-Oxley Act (SOX)
If we take a brief look at the history of the payroll outsource services, initially we have to start with the years when there was no automation and computer use in this field. At the end of 1940s, in abroad, outsource was limited to assigning a complicated business function to a consultant. Especially in the US, 50s and 60s refer to a period when payroll calculations were started to be made at an academic level and by means of the first computers by the companies, although this was yet to become wide-spread. Payroll outsourcing companies which emerged from the beginning of 1970s until 1980s, recommended to automatize the payroll processes and to produce payslips and pay-checks by a completely non-manual, automated method.
The audit issues that led to the emergence of Sarbanes-Oxley Law in 2002 have created awareness on the importance of more consistent checks on the personnel wages, which consist one of the most important cost items for the organizations. SOX aimed to increase the controls of the organizations on financial reporting to the highest level and to establish an efficient corporate management system. According to the new rules, it has been accepted as a principle that if an audit company is conducting the financial audit of a client, it cannot handle any other work of that specific client.
With various corruptions having been revealed over the course of time, it has been understood that in-house payroll operators, who process the payroll and make the payments have made fraudulent transactions for years, such as high wages, additional payments, over time pays or fraudulent advance payments. Factors such as internal control weaknesses, failure to implement the principle of separation of powers, reporting deficiencies, and human fault has made outsourcing of the payroll services the primary choice, in particular for US companies. This trend has later spread to Europe and subsequently to the other countries across the world.
As per the separation of powers approach arising from SOX Law, audit companies cannot make payroll calculations for the companies which they provide audit services. Today, companies prefer carrying out this complicated business process by way of outsourcing due to reasons such as cost-effectiveness, confidentiality and security, legal compliance, control requirement, etc. In this way, corruption decreases while confidentiality, audit and control possibilities increase.
Rights and Obligations of the Parties
If a company carries out the payroll processes by receiving outsourced services, the legal rights and obligations of the parties should be reviewed separately. When we try to distinguish the parties involved in the process within the organization that outsources its operations, we come across with various roles. Below is a summary of the individual status of the parties within the process:
1. Company that outsources payroll operations: Article 75 of Labour Law No. 4857 consists an important provision regarding the protection of personal data of the employees. Accordingly, “the employer shall create a personal file for each employee it employs. In this file the employer shall be obliged to keep all documents and records that it is obliged to issue pursuant hereto and other legislation in addition to the employee's identity information, and shall submit these to authorized officers and bodies when requested. The employer shall be obliged to use information it obtains on the employee in keeping with the good faith principle and the law, and to not disclose information the confidentiality of which is in the rightful interest of the employee”. Similarly, Article 5 of KVKK stipulates the rules regarding the terms of processing of personal data. Accordingly, if at least one of the below conditions exists, processing of personal data shall become possible.
- Existence of the data subject's explicit consent,
- In situations expressly prescribed by the Law,
- Where it is mandatory for the protection of life or bodily integrity of a person who is incapable of giving his/her consent due to physical impossibility or whose consent is legally invalid, or of another person,
- Where the processing of personal data belonging to the parties of a contract is necessary, provided that these are directly related to the conclusion or performance of the said contract,
- Where it is obligatory for the data controller to fulfil its legal obligation,
- Where it is publicized by the data subject itself,
- Where it is mandatory to process data for securing, exercising or protection of a right,
- Where it is obligatory to process data for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the relevant person are not infringed.
In the light of the information provided in the above stated articles, the legal liability of paying the wages of the employees shall naturally belong to the data controller who is the employer. Furthermore, payroll calculation is one of the conditions to ensure performance of the employment contract executed by and between the employee and the employer. In other words, the legal basis for processing of personal data for the purpose of calculating the payroll of the employee is fully constituted. Accordingly, the personal data can be transferred to the payroll service provider without obtaining the explicit consent of the employees. Another significant matter, on the other hand, which should not go unnoticed at this point, is the disclosure obligation. KVKK stipulates an obligation of disclosure for the data controller; notwithstanding the explicit consent of the persons, satisfaction of the conditions for personal data processing, and similar processes. Data controller should consider the provisions set forth in Article 10 of the Law while fulfilling the disclosure obligation for the company. Furthermore, the Communique on Procedures and Principles Applicable in the Fulfilment of the Obligation of Disclosure published in the Official Gazette No. 30356, dated March 10, 2018 determines the procedures and principles to be observed within the scope of the disclosure obligation.
According to the relevant article of the law and the explanations made in the communique, the purpose of the processing of personal data and parties to whom they shall be transferred should be stated explicitly. In addition, the legal ground should be clearly demonstrated and the purpose of transferring the personal data to the payroll company should be stated in the disclosure text.
In accordance with Article 12 of KVKK, in case of the processing of personal data by a natural or legal person on behalf of the data controller, the data controller shall be jointly liable with the data processor for ensuring due processing of personal data, preventing unlawful access thereto, enabling protection thereof, and taking all the technical and administrative measures. There may also be sensitive personal data among the data to be transferred by the outsourcing party. Union membership, health information, medical reports, etc., which may affect the payroll calculations are considered to be sensitive personal data. Such data that may be listed within this scope are those relating to race, ethnicity, political views, philosophical beliefs, religion, denomination or other beliefs, appearance, union and/or association memberships, health, sexual life, criminal conviction and criminal records and security measures, as well as biometric and genetic data (cannot be extended by analogy).
In accordance with the law, processing sensitive personal data is possible only under the following circumstances, apart from cases of having explicit consent from the relevant person, the data subject:
- For sensitive personal data apart from those regarding the health condition and sexual life; only in cases where stipulated by the laws,
- Personal data in respect of health and sexual life can only be processed by authorized bodies and institutions or persons who are bound by a duty of confidentiality for the purposes of public health protection, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing.
In this case, union membership information of the personnel may be transferred to the payroll outsource service provider without the requirement of obtaining explicit consent (by mentioning it in the disclosure text). On the other hand, explicit consent of the personnel shall be required for transferring medical reports to the payroll outsource service provider.
2. Company employees and people who are authorized to access personal data: The right to privacy and its protection are set forth in the Turkish Constitution. In accordance with Article 20 of the Constitution of the Republic of Türkiye dated October 18, 1982, “every person shall have the right to request respect for privacy of their personal and family life. The privacy of personal and family life is protected under immunity.” The addition made to this Article on May 7, 2010 is as follows: “every person shall have the right to request the protection of his/ her personal data. This right encompasses the right to obtain information of an individual on their personal data, their right to access these data, their right to request correction or deletion of the same, and their right to learn whether such data are used for their intended purposes. Personal data can be processed only under the circumstances set forth in the Law, or upon explicit consent from the relevant individual. The principles and procedures regarding the protection of personal data are regulated by the law.” Furthermore, these rights are regulated under Article 11 of KVKK as follows.
By applying to the data controller, every person has the right to
- learn whether or not their personal data are being processed,
- request information on the procedure, if their personal data are being processed,
- obtain information on the purpose of processing of personal data and find out whether personal data has been used in line with their purpose;
- obtain information about the third persons to whom personal data were transferred domestically or abroad,
- request correction where in case the personal data may have been incompletely or inaccurately processed;
- if the reasons requiring personal data to be processed cease to exist, request that the personal data are deleted or destroyed, by also taking the statute of limitations into consideration, and request that the third parties to whom personal data are transferred are also informed of the actions performed in this regard,
- object to the occurrence of any adverse outcome against the data subjects, due to the analysis of their personal data exclusively through automated systems,
- request compensation for damages in the case that damages are sustained as a result of the unlawful processing of personal data.
When the data subject wishes to lodge an application to the data controller, he/she shall submit this in writing pursuant to Article 13 of KVKK or by other methods to be determined by the Personal Data Protection Board. In general, companies provide an e-mail address or an online form access for these requests when fulfilling their duty of disclosure. It should be noted that, pursuant to KVKK, these requests shall be fulfilled free of charge; however, if such process results in any cost, the cost may be collected from the data subject. The fee tariff shall be determined by the Personal Data Protection Board. However, in case of negligence of the employer regarding the matter that is the subject of the request, the amount collected by the data subject, shall be refunded.
In the light of these explanations, it is safe to say that in cases deemed necessary by the employee, it would be in line with the law for the data controller to fulfil the employee’s request regarding learning the identity of the payroll outsource service provider.
A separate security need arises for persons in the company who have the authorization to transfer the employees’ personal data to the payroll outsource service provider. A different confidentiality agreement should be drafted for the personnel who have access to sensitive data such as, wages, private personal data, etc. and the access authorization levels of these people should be distinguished in the authorization matrix.
3. Payroll outsource service provider: Payroll outsource service provider carries out the payroll calculation procedures on the basis of the employee data received from its client which is the data controller. As this service is provided by virtue of an authorization received from the data controller, in this context, the service provider should be considered as the “data processor”. The company and the service provider should execute an agreement for “data transfer from the data controller to the data processor”. The purposes and methods of data processing should be stated in this agreement. If the service provider uses the personal data received for payroll calculation, for purposes other than the payroll services and similar purposes specified in the agreement, it should be emphasized that it will instantly be considered as the “data controller” for the said data. It is clear that the data processor should ensure the protection of the personal data by taking the necessary technical and administrative measures, even though it only processes the data of the data controller in line with data controller’s instructions. Data processor should take the data from its client in a manner that is related, limited and proportionate with the purpose of the service. For instance, while name, surname, Turkish ID number can be obtained for payroll calculation, family information of the employee can also be requested for the calculation of Minimum Living Allowance (AGI). Yet, if the company is obtaining the vehicle license plate numbers of its employees to monitor their entries to and exits to the parking lot, there is no need for it to transfer this data to the payroll service provider. Because, the license plate number is defined as personal data and its unnecessary transfer conflicts with the principle of proportionality.
In respect of the processes and responsibilities described herein above, the outsourcing company and the payroll service provider should take the necessary security measures to ensure the security of the personal data during their transfer. The parties should determine the probability of realization of the risks that may arise in relation to the protection of these data, analyse the losses that may be incurred if a risk is realized and introduce the suitable solutions in this regard. All technical measures for the secure transfer of the data, such as encryption, SSL, e-mail security and similar measures should be reviewed diligently and the risks that may arise during the transfer should be minimized. Moreover, in case of a data breach, the obligations of the data controller regarding data breach notification should be taken into account.
- [1] Text of the Personal Data Protection Law: To read, please Click here
- [2] Text of EU General Data Protection Regulation (GDPR): To read, please Click here
- [3] About Data Breach Notification: To read, please Click here
CottGroup® is a holistic service organization offering a full range of consulting, outsourcing, technology, and training services together with practical solutions to all types of businesses in Türkiye. Our attorneys and consultants combine the highest levels of local and international expertise to turn your business needs into a success story.
-
-
Notification!