Open menu

06 Ekim 2023

Personal Data Protection Law (PDPL) in Human Resources Processes: Why is It Important?
×

Yazar Civan Güneş, CottGroup Hukuk ve Mevzuat Ekibi, Kategori KVKK - GDPR, Work Life

Personal Data Protection Law (PDPL) in Human Resources Processes: Why is It Important?

In today's business world, the need for personal data protection has been ensured by the Personal Data Protection Law (PDPL), making it a priority for every organization. Human resources departments are responsible for collecting, managing, and storing extensive personal data, including sensitive data about employees and candidates. This data includes social security numbers, addresses, phone numbers, email addresses, medical records, and other personal data. Therefore, the significance of personal data protection in human resources cannot be overstated. We've outlined the critical factors that HR professionals should pay attention to when it comes to protecting personal data during the recruitment and active employment processes.

CottBlog Abone Ol
CottBlog Subscribe

Personal Data Protection in the Recruitment Process

Personal data protection has become an increasingly important issue in recent years, especially in the case of recruitment, termination, and subsequent processes. With technological advancements, companies can access more personal data than ever before, making it compulsory to handle, store, and dispose of such data appropriately.

Under the Personal Data Protection Law (PDPL), data controllers must protect the personal data acquired during the recruitment process. Therefore, HR personnel involved in recruitment must undergo specific training on the regulations and responsibilities surrounding personal data protection to comply with the PDPL. This training will ensure that all collected personal data is processed in adherence to the regulations.

During the recruitment process, the candidates should be informed about who will handle their personal information and for what purposes. The personal data collected should only be used for evaluating and assessing candidates, not for marketing or advertising, and not shared with third parties without the candidate's consent. Once the recruitment process is over, the data collected must be securely disposed of to comply with the Personal Data Protection Law.

To avoid discrimination during recruitment, it's crucial not to collect or process special categories of personal data such as religious beliefs or political opinions unless it's necessary for the specific role. If psychological or alcohol/drug tests are a requirement for a position, the candidate should give explicit consent, and measures should be taken to comply with the Personal Data Protection Law.

Employers should only request information from job candidates that is directly relevant and necessary for the recruitment process. For instance, if a company vehicle is not required for the position, then some personal data should not be requested. It is also important to avoid asking for an excessive amount of personal data. Data controllers should take measures to protect the personal data collected during recruitment and inform candidates about how their data will be processed to ensure compliance with the PDPL.

Personal Data Protection During Employment Process

As per the Personal Data Protection Law (PDPL), protecting the personal data of employees is a legal obligation in our country. This requirement implies that reasonable measures must be taken to ensure that personal data is not accessed without permission, not used for other purposes than intended, and not disclosed. Failure to comply with these regulations can result in significant fines and legal proceedings.

Article 75 of Labor Law No. 4857 mandates that employers or Human Resources personnel acting on behalf of the employer must maintain an employee info file for each worker they employ. This file must contain the worker's identity information, as well as all documents and records required to be kept under the Labor Law and other laws. When requested, authorized officials and authorities must be provided access to this information.

Employers are required by the Personal Data Protection Law to provide their employees with an explanation of the personal information contained in their employee info files, as well as the reasons for collecting and processing this information. While employee consent is not required for the processing of their personal data, it is stated in Article 5, paragraph 2, sub-paragraph (a) of the PDPL that personal data may be processed without consent if explicitly authorized by law. Under Article 75 of the Labor Law, the processing of personal data for the creation of personnel files is mandatory.

To secure the protection of employees' personal data, certain precautions should be taken, such as:

  • Comprehensive Data Protection Policy:
  • Employers should create a data protection policy outlining the organization's procedures for handling sensitive employee data. The policy should be communicated to all employees and should cover topics like data access, storage, and disposal.

  • Limited Access:
  • Employers should limit access to personal data only to employees who require it for their job responsibilities. It is advisable to implement role-based access controls and keep the number of employees with access to sensitive data at a minimum.

  • Data Storage Security:
  • Employers should store personal data in secure areas, such as locked cabinets or password-protected servers. Physical files should be kept under lock and key, electronic files should be encrypted, and password protection should be enforced.

  • Secure Communication Channels:
  • Employers should use secure channels, such as encrypted email or messaging apps, to transmit personal data. Personal data should not be sent through insecure channels like regular email or text messages.

  • Access Monitoring and Auditing:
  • Employers should regularly monitor and audit employee access to personal data to detect any suspicious activities, potential data breaches, or unauthorized access.

  • Employee Training:
  • Employers should provide necessary training for employees on data protection policies and procedures to ensure their understanding of handling sensitive information.

  • Data Disposal:
  • It is important for employers to properly dispose of personal data once it is no longer needed. This can be accomplished through methods such as shredding physical documents or deleting electronic files securely.

It is also important to note that employees have the right to access their personal data. As such, data controllers should provide employees with the chance to review their personal information and make any necessary corrections.

Should you have any queries or need further details, please contact us.

Notification!

The content in this article is for general information purposes only and belongs to CottGroup® member companies. This content does not constitute legal, financial, or technical advice and cannot be quoted without proper attribution.

CottGroup® member companies do not guarantee that the information in the article is accurate, up-to-date, or complete and are not liable for any damages that may arise from errors, omissions, or misunderstandings that the information may contain.

The information presented here is intended to provide a general overview. Each specific case may require different assessments, and this information may not be applicable to every situation. Therefore, before taking any action based on the information provided in the article, it is strongly recommended that you consult a competent professional in the relevant fields such as legal, financial, technical, and other areas of expertise. If you are a CottGroup® client, do not forget to contact your client representative regarding your specific situation. If you are not our client, please seek advice from an appropriate expert.

To reach CottGroup® member companies, click here.

About The Author

/tr/blog/calisma-hayati/item/insan-kaynaklari-sureclerinde-kvkk-nin-onemi

Diğer Makaleler