Biometric Attendance and Time Tracking Systems

Biometric Data

As stated in the Personal Data Protection Authority’s (“Authority”) Guideline on Considerations in the Processing of Biometric Data dated March 25, 2025, biometric data is defined as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a real person, which allow or confirm the unique identification of that real person, such as facial images or dactyloscopic data.”[1]

Condition for Processing Biometric Data: Explicit Consent

Biometric data consists of characteristics that generally remain unchanged throughout an individual’s lifetime and distinguish the individual from others. Data such as fingerprints, retina, palm, face, hand shape, and iris are examples of physiological biometric data. Under the Personal Data Protection Law No. 6698 (“Law”), biometric data qualifies as special category personal data.

The processing of special category personal data requires at least one of the following legal bases:

a) Data subject has given his/her explicit consent,

b)  It is explicitly provided by laws,

c)  It is necessary to protect the life or physical integrity of the person who is unable to express their consent due to actual impossibility or whose consent is not legally valid,

d)  It relates to personal data that have been made public by the data subject, and processing is consistent with data subject’s intention to make such data public,

e)  It is necessary for the establishment, exercise or protection of any right,

f)  It is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and for the planning, management and financing of health-care services by persons subject to legal obligation of confidentiality or by competent public institutions and organizations,

g) It is necessary for the fulfilment of legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance,

h) It relates to the current or former members and affiliates of foundations, associations, and other non-profit organizations established for political, philosophical, religious, or trade union purposes, or to individuals who are in regular contact with these organizations, provided that such processing complies with the applicable legislation governing these organizations and their objectives, is limited to the organizations’ fields of activity, and does not involve disclosure of data to third parties.

For work time and attendance tracking, processing biometric data generally does not appear possible for any of the conditions other than the explicit consent of the data subject. Indeed, for a statutory basis to apply, the enabling legal provision must be clear and unambiguous, leaving no room for doubt.[2] There is no provision in Turkish law that clearly permits the processing of biometric data solely for work time/ attendance tracking.

Additionally, processing biometric data to monitor working hours is not mandatory for establishing or exercising the employer's right to supervise and monitor employees. In principle, if biometric processing is claimed to be “necessary,” the employer should be unable to achieve the same purpose by less intrusive processing. However, working hours and attendance can typically be monitored through alternative means such as:

• magnetic card readers,
• signature sheets,
• two-step entry/exit tracking (e.g., SMS/mobile code/mobile approval).

Similarly, even if an employer changes the purpose of attendance tracking to occupational health and safety for a moment, they can ensure occupational health and safety by processing data other than biometric data. For example, they can install cameras in areas that pose a threat to occupational health and safety, increase inspections, and organize employee training.

If the sole condition for processing biometric data is explicit consent, it is necessary to explain what explicit consent entails. Explicit consent is the data subject’s consent that is:

(i) specific to the processing activity,

(ii) based on being informed, and

(iii) freely given.

For a statement to be considered "explicit consent," these three elements must be present together. Furthermore, the data subject must be able to withdraw their consent at any time. In administrative investigations and court decisions, employee explicit consent is evaluated with caution due to the imbalance inherent in the employer–employee relationship, which may undermine genuine free will. Where the employee does not have a real opportunity to refuse or withdraw consent—or where refusal/withdrawal results in disadvantage—consent cannot be regarded as freely given.

The Principle of Proportionality Even with Explicit Consent

Even where explicit consent is obtained in a manner that is:

(i) specific to the subject (supported by an information notice prepared specifically for biometric processing for the purpose of monitoring working hours),

(ii)  informed (the employee is informed of all stages, methods, and results of the processing activity), and

(iii)  freely given (the employee has a real option to refuse without suffering disadvantage),

the processing of biometric data for work time tracking will still not be legally acceptable in most cases. Explicit consent does not legitimize processing that exceeds what is necessary.[3] The employer, as data controller, must rely on a lawful basis and comply with the general principles under Article 4 of the Law.

Accordingly, biometric processing based on explicit consent must:

a) not impair the essence of fundamental rights and freedoms, and

b) be relevant, limited, and proportionate to the purpose of monitoring working hours.

Proportionality is assessed strictly in both administrative and judicial practice. The proportionality principle requires a reasonable balance between the legitimate aim and the means used. The employer should therefore process the minimum amount of data required to achieve the legitimate purpose. If the same purpose can be achieved through a less intrusive method, choosing a more intrusive method is likely to be considered disproportionate.

Where the employer can monitor working hours by processing general data—rather than unique biometric identifiers that are permanent throughout life—the processing of biometric data is generally disproportionate. Proportionality is assessed case by case. For example, biometric processing may be justifiable for access to a nuclear power plant with exceptional security requirements, whereas biometric processing for access to a warehouse that does not present comparable risks may be disproportionate.[4]

In its decision dated May 16, 2023, the Council of State held that tracking working hours through palm biometric data was unlawful because there was no concrete evidence demonstrating the need for superior security measures.[5]

Ultimately, the employer must be able to answer the following question correctly:
“What is the minimum amount of data we can process to achieve our legitimate purpose?"

Can Time and Attendance Tracking at the Workplace Be Done Using Alternative Methods to Biometric Technology?

Yes. Alternative methods for tracking working hours and attendance include:

• magnetic card systems,
• signature sheets,
• RFID (Radio Frequency Identification) tags,
• mobile verification codes sent to mobile phones, or
• SMS codes entered into the system.[6]

Some employers may argue that signature sheets are inefficient because one person can sign on behalf of another, and that magnetic card systems are ineffective because one person can use another person’s card. In response, the Authority states that time tracking should be ensured by (i) warning employees against such misuse, (ii) defining applicable sanctions if misconduct is detected, and (iii) informing employees accordingly to prevent malicious practices.[7] As an alternative to biometric technologies, for instance, installing cameras in the area where entry forms are signed may be considered.

Some employers may further argue that biometric processing is proportionate only for access to a specific section of the workplace due to enhanced security requirements. Limiting processing to those working in a particular department—rather than processing the biometric data of all employees—may align more closely with data minimization. However, even in such cases, the Authority may still prioritize less intrusive alternatives.

For example, an employer in paper production used a facial recognition system for access to the production department, citing that: the workplace was classified as hazardous; the work involved high-budget investment; the most serious accidents originated from paper-making machines; accidents could result in death; and untrained employees might enter using someone else’s card. The Authority did not consider these grounds sufficient to justify biometric processing. Although the employer argued that entry/exit was tracked through unique coding without retaining workers’ biometric records, the Authority concluded that the objectives of monitoring working hours and ensuring workplace safety could be achieved through less intrusive methods.[8] Ultimately, the Authority found the processing unlawful and imposed an administrative fine of TRY 500,000.

Sanctions and Authority Decisions

Under Article 12(1) of the Law, the data controller must take all necessary administrative and technical measures to prevent unlawful processing of personal data. In case of non-compliance, the Authority may impose an administrative fine under Article 18.

For 2025, the administrative fine for non-compliance with data security obligations ranges from TRY 204,285 to TRY 13,620,402.

The Authority may initiate an investigation upon complaint or ex officio. Employees frequently submit complaints to protect their personal data. Accordingly, employers should review processing activities and cease any unlawful practices.

The Authority has imposed administrative fines in investigations initiated upon employee complaints regarding biometric processing for work time tracking. Specifically:

• In its 2020 decision, it imposed an administrative fine of TRY 200,000.[9]
• In its 2022 decision, it imposed an administrative fine of TRY 500,000.[10]

Under Article 20 of the Constitution of the Republic of Turkey, everyone has the right to request the protection of personal data. Unlawful personal data processing may violate the data subject’s personal rights. Under Article 14 of the Law, the data subject retains the right to claim compensation under general provisions. Accordingly, an employee alleging that unlawful processing violated their personal rights may seek material and moral compensation.

It should also be noted that the unlawful recording, transfer, dissemination, interception, and failure to destroy personal data may constitute criminal offences under the Turkish Penal Code, punishable by imprisonment.

Unlawful personal data processing may therefore give rise to civil (compensation claims), administrative (Authority fines), and criminal sanctions. To mitigate these risks, employers should not process biometric data for work time and attendance tracking unless a specific situation demonstrates a genuine need for enhanced security.

References

(Only in Turkish) 12th Chamber of the Council of State, 2021/3870 E., 2023/2548 K. Numbered Decision. (2023, 05 16). Retrieved from LexPera: https://www.lexpera.com.tr/ictihat/danistay/12-d-e-2021-3870-k-2023-2548-t-16-5-2023

(Only in Turkish) European Union General Data Protection Regulation (GDPR), Article 4. (2016, 04 27). Retrieved from Republic of Turkey Ministry of Foreign Affairs – Directorate for European Union Affairs: https://www.ab.gov.tr/siteimages/resimler/Nihai-ABB-HCDB-GDPR.pdf

(Only in Turkish) Guideline on Considerations in The Processing of Biometric Data. (2025, 03). Retrieved from Personal Data Protection Authority: https://kvkk.gov.tr/SharedFolderServer/CMSFiles/bd06f5f4-e8cc-487e-abe1-d32dc18e2d7e.pdf

(Only in Turkish) Summary of the Personal Data Protection Board’s 2020/167 Numbered Decision. (2020, 02 27). Retrieved from Personal Data Protection Authority: https://www.kvkk.gov.tr/Icerik/6738/2020-167

(Only in Turkish) Summary of the Personal Data Protection Board’s 2020/404 Numbered Decision. (2020, 05 20). Retrieved from Personal Data Protection Authority: https://www.kvkk.gov.tr/Icerik/6913/2020-404

(Only in Turkish) Summary of the Personal Data Protection Board’s 2022/797 Numbered Decision. (2022, 08 04). Retrieved from Personal Data Protection Authority: https://www.kvkk.gov.tr/Icerik/7434/2022-797

(Only in Turkish) The Constitutional Court's Decision with Application No. 2018/11988. (2022, 03 10). Retrieved from Republic of Turkey Constitutional Court Decisions Database: https://kararlarbilgibankasi.anayasa.gov.tr/BB/2018/11988