With the Principle Decision on the Processing of Biometric Data for Attendance Tracking Purposes, dated April 29, 2026 and numbered 2026/291, published in the Official Gazette dated June 2, 2026 and numbered 33268 (the "Decision"), the Personal Data Protection Board emphasized that the increasing use of biometric identification systems (such as fingerprint, facial recognition, and iris/retina scanning) for the digitalization and security of employee attendance tracking must comply not only with a valid legal basis, but also with the principles of proportionality, necessity, and data minimization, given that biometric data constitutes special category personal data and possesses an irreversible nature.

As is known, the deadline for real and legal person data controllers processing personal data to fulfill their registration and notification obligation with the Data Controllers Registry ("VERBIS"), as stipulated under Article 16 of the Law on the Protection of Personal Data No. 6698, was set as December 31, 2021.

With its Principle Decision dated February 18, 2026 and numbered 2026/348, the Turkish Personal Data Protection Board ("Board") has made significant assessments regarding a practice frequently encountered in apartment and residential site managements. The relevant Principle Decision was published in the Official Gazette dated March 31, 2026 and numbered 33210.

In the Decision, it is stated that the processing of personal data through posting lists containing personal data such as name-surname, apartment number, amount of debt, and delay information related to dues, advances, and similar receivables in common areas such as elevators, building entrances, and corridors does not constitute a disclosure limited to a specific and identifiable group of recipients, but may instead lead to disclosure to an indefinite number of third parties. In this context, it has been emphasized that such practice cannot rely on any of the legal grounds for processing set forth under Article 5 of The Law numbered 6698 on the Protection of Personal Data and that making personal data accessible to unauthorized persons constitutes a breach of the obligation to implement adequate technical and administrative measures for data security under Article 12 of the Law.

The Principle Decision titled "On the Requirement for Data Controllers to Prepare Explicit Consent Texts and Obligation to Inform Separately", issued by the Turkish Personal Data Protection Board ("Board") with decision number 2026/347 dated February 18, 2026, was published in the Official Gazette dated 24 March 2026 and numbered 33203, and has thereby entered into force.

With this Principle Decision and the accompanying public announcement, significant structural changes and compliance requirements have been introduced regarding the practices of data controllers in relation to their obligation to inform and explicit consent processes.