Turkey: Biometric Data Usage For Security And Shift Checks Of Employees And In The Medical Sector

Last Updated: 10 April 2019
Article by Ali Yurtsever


Personal data protection was a controversial topic in Turkey for many years, mainly due to the European Union ascension procedures. Although Turkey signed and is therefore a party to the European Union Treaty No. 108 Convention for the Protection of Individuals with Regards to Automatic Processing of Personal Data (Treaty 108) back in 1981, the subsequent local regulations were never implemented and therefore the Treaty 108 never entered into force. To remedy this, Turkey adopted a new law regarding personal data protection, the Law on the Protection of Personal Data No. 6698, which was published at the Legislative Journal dated April 7, 2016 and No. 29677 (the Law), therefore effectively implementing the Treaty 108 domestically.

This Law is seen as a much needed improvement in personal data protection, and sets forth new liabilities to data holders, supervisors and processors to keep such personal data private at all times. However, the Law has somewhat vague definitions when it comes to defining what constitutes personal data, which can also be found in the Treaty 108. These vague definitions allow for a flexible definition of what constitutes personal data, which allows for different sets of data to be considered as personal data without the need for legislation amendments. However, it may also cause ambiguity and confusion regarding certain data sets, such as biometric data. Accordingly, in order to determine the rules regarding the usage of biometric data, the general principles and definition of personal data should be examined first.


Article 2 of the Law defines personal data as "all information relating to an identified or identifiable natural person", whereas Article 6 sets forth that "personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data are deemed to be personal data of special nature".

Article 2 also defines processing of personal data as "any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means". Accordingly, even the collection, recording and/or storage of personal data shall be deemed as data processing and shall therefore be subject to the strict rules of procedures stipulated by the Law. Therefore, any action set forth in Article 2 regarding any personal data shall be subject to the explicit consent of the data owner as per Article 5. Of course, there are certain exceptions to this rule. According to Article 5, a personal data may be processed without the explicit consent of the data owner if:

a) it is clearly provided for by the laws,
b) it is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving his/her consent or whose consent is not deemed legally valid,
c) processing of personal data belonging to the parties of a contract, is required provided that it is directly related to the conclusion or fulfilment of that contract,
d) it is mandatory for the controller to be able to perform his legal obligations,
e) the data concerned is made available to the public by the data subject himself,
f) data processing is mandatory for the establishment, exercise or protection of any right,
g) it is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.


  • Obligations of the Data Controller

According to Article 10, during the data collection and/or processing, the data controller or persons authorized by the data controller, are required to inform the data owner regarding (a) the identity of the controller and all its representatives, (b) the purpose of data processing, (c) to whom and for what purposes the processed data may be transferred and (d) the method and legal reason of collection of personal data.

Furthermore, the data controllers are also required to take all necessary measures, technical and administrative, to prevent any unlawful access and/or processing of such data. If the data is being handled/processed by authorized third parties, then the data controller shall be jointly liable along with the third party for taking these preventive measures and ensuring the safety of the collected data.

  • Rights of the Data Owner

Apart from the obligations imposed upon the data controllers, data owners also have a fair amount of rights under the Law. According to Article 11, the data owners have the right to request from the data controller information regarding whether his/her personal data is being processed or otherwise stored and collected, if so then to what end and to what extent the personal data is being processed, information regarding the third parties that have access to such information, if any, to request the rectification of the incomplete or inaccurate information, if any, to request the erasure and/or destruction of the relevant personal data and to request compensation for damages incurred due to unlawful processing of personal data.

The two important rights for data owners here are the right to request the rectification of the incomplete or inaccurate information and the right to claim compensation for damages incurred due to unlawful processing of data. This effectively gives power to the data owner to delete and destroy his/her personal data that is being processed or was processed in the past, and also gives the right to claim compensation if the data controllers breach their obligations arising from the law.


Until recently the legislation did not provide a separate definition for biometric data or a clear and extensive definition of what constitutes personal data. Instead, personal data was defined as "all information relating to an identified or identifiable natural person". The only other classification regarding personal data is the definition of "personal data of special nature" set forth in Article 6 (as noted above). Although this article 6 is a almost a direct translation of Article 6 of the Treaty 108, there is one crucial difference. Back in 1981, when the Treaty 108 was first implemented, the term biometric data did not exist, and therefore this term was not included in the original text of Treaty 108 and biometric data was not classified as personal data of special nature. Article 6 of the Law, however, does note that "biometric and genetic data" shall be deemed as personal data of special nature.

An interesting fact to note is the Court of Appeal's precedent regarding the biometric data (issued prior to the implementation of the Law). According to the precedent set by the Court of Appeals, "fingerprints and biological samples such as DNA, hair, saliva and fingernail samples" shall be deemed as personal data. Furthermore, the Constitutional Court, by referring to the relevant articles of the Treaty 108, ruled that "data obtained via biometric methods" shall be considered as personal data, however, such data cannot be considered as "extremely sensitive personal data such as political opinions, religious beliefs, health, sexual life or criminal convictions as noted in Article 6 of the Treaty 108". It is therefore unclear how this Court precedent should be review in light of the new changes made in the Law, although it is expected the Court of Appeals to amend this precedent in accordance with the new Law.


With the recent technological advancements and biometric technologies becoming cheaper, demand and access to such technologies have increased drastically. Biometric scanners are increasingly used in security (especially in tech companies where confidential information are of high value and in big companies, holdings that have large number of employees) and for identification purposes (mostly in medical sector, in hospitals, clinics etc.).

The most important issue in using biometric data for security and/or identification purposes is obtaining the explicit consent of the data owner. If consent is needed from every data owner, then how can companies use security systems that require biometric data (such as safe/confidential rooms accessible by fingerprint scanners) if one or more of their employees refuse to provide it, or can companies require their employees to use biometric scanners to keep track of their shifts, or can the medical sector demand biometric data before providing medical assistance in order to verify the patients identity?

These are all controversial issues due to the recent development in technology that allows for such systems to be implemented at a much cheaper price. Furthermore, biometric scanners and security systems are arguably more secure than simple passwords, which can be cracked, or more secure ID systems than a person's signature, which can be duplicated. Unfortunately, the Law and subsequent regulations do not provide clear answers to these issues. Therefore, the high courts (mainly the Court of Appeals, the Council of State and the Constitutional Court) have made different rulings for different situations on a case by case basis, depending on the principle of proportionality.

  • Biometric Data in Medical Sector for Patient ID Purposes

According to Article 67 of the Social Security and General Health Insurance Law No. 5510, state hospitals in Turkey may require their patients to provide their biometric data as a means for verifying the patient's identification (the article states that the patients are required to either prove their identity via biometric means or with an ID card, driver's license, marriage certificate or a passport, in order to benefit from health services). Accordingly, some state hospitals started using biometric checks to verify the applicant patient's identity and this caused some controversy, as it was seen as a violation of the right to privacy.

Finally, in 2014, the Council of State submitted an appeal to the Constitutional Court for annulment of the relevant provisions in this Article 67 claiming that it violated Articles 2, 13 and 20 of the Constitution. The Constitutional Court rejected the application and ruled that biometric data can be requested by state hospitals to verify patient's identity and this did not violate the right to privacy set forth in the Constitution.  The reasoning given by the Court in this decision was that, since the ID verification via biometric means is more secure against unauthorized usage, as such data cannot be faked, it is much more effective at combatting corruption in public offices. In other words, the Court ruled that preventing the abuse of the healthcare system is of paramount importance and when compared to the violation of the right to privacy, this provision does not violate the principle of proportionality. Therefore, the Court ruled that this provision did not violate the constitution as there was proportionality between the rights being protected (the integrity of the healthcare system) and those that were being violated (the right to privacy).

  • Biometric Data for Employee Shift Controls

This is another issue, especially concerning big companies and holdings that have large numbers of employees. These companies use different systems in order to control and record the working hours of their employees, such as signature sheets or card systems. However, another system that can be used is a fingerprint scanning system where employees stamp their time of arrival and departure by scanning their fingerprints.

One state hospital in Turkey started to use such a shift control application that kept track of the employees shift hours via fingerprint scanners. Subsequently, a lawsuit was filed against this mandatory fingerprint scanning application, which was finally decided upon by the Council of State. The Council of State ruled in this decision that, fingerprints of a person should be deemed as an inseparable entity of that person's private life and therefore is under the protection of right to privacy as per Article 20 of the Constitution. Furthermore, the Court ruled that there are other and equally competent means of tracking employee shifts and the benefit to be gained from such tracking application, even in the public sector, is negligible when compared to the violation of right to privacy. Therefore, the Council of State ruled that such applications violate the Constitution and employees cannot be forced to use fingerprint scanning systems for shift tracking purposes even in the public sector.

  • Biometric Data for Secure/Confidential Rooms

Another trend in business, especially in tech companies, is the implementation of secure rooms to safely store confidential information. This is especially required by foreign companies from their Turkish counterparts in cases where highly classified and confidential information is being exchanged between the parties. These secure rooms used to be protected by systems using simple passwords, whereas currently, the companies require secure rooms that are only accessible via biometric data, such as fingerprints, retinal scanners or face ID (as it is considered safer than passwords).

However, secure rooms accessible by biometric data once again brings up the issue of consent. Since the companies need one or more of their employees to have access to these secure rooms, they need to obtain such employees' biometric data in order to properly implement a secure room. Although there are no specific high court rulings regarding this issue yet, the Council of States' decision regarding biometric data usage for employee shift controls (noted above) should serve as a good basis. Applying that decision to this case, it is clear that the benefit to be gained from implementing a secure room (in private companies) will be negligible when compared to the violation of the right of privacy. Therefore, companies cannot demand biometric data from their employees for the implementation of secure rooms and cannot terminate employment contracts based on an employee's rejection of providing such data. However, it is still possible to obtain such data from consenting employees (although such consent should be carefully worded to avoid violating any provisions of the Law).


Regulations in Turkey regarding personal data protection are still quite new and therefore, there are no established court precedents so far. The currently available court rulings are generally dated before the implementation of the Law and although some of them do reference the Treaty 108, we will still need to wait a few more years for the high courts to establish a precedent specific to the Law itself, and its secondary regulations. It is therefore extremely important for companies to have comprehensive personal data protection texts (informative texts and consent forms) in order to avoid any possible future liability that may be imposed upon by the court precedents.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
ELIG Gürkaynak Attorneys-at-Law
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Practice Guides
by Mondaq Advice Centres
Relevancy Powered by MondaqAI
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
ELIG Gürkaynak Attorneys-at-Law
Related Articles
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions