Türkiye says employers cannot rely on biometrics for attendance monitoring

The Personal Data Protection Board of Türkiye has ruled that using biometric data such as fingerprints or facial recognition to track employee working hours is generally unlawful under the country’s personal data protection law. The Board said that even with employee consent, such processing often fails the principle of proportionality because less intrusive alternatives are available. While employers are legally required to monitor attendance, there is no specific legal requirement that they do so using biometric systems.

The decision reflects a growing regulatory trend in Europe and other privacy-focused jurisdictions, where biometric processing is increasingly assessed against principles of necessity and proportionality rather than simply whether consent has been obtained.

Biometric attendance systems have become increasingly common in workplaces around the world, particularly following the return to office work after the COVID-19 pandemic.

According to the Türkiye data board, such biometric data processing cannot rely on the “explicitly provided for by law” condition set out in the Personal Data Protection Act. Also, “explicit consent” from employees as used in the legislation is deemed insufficient because the inherent power imbalance in employer-employee relationships means consent is rarely given freely, and the ability to withdraw consent would undermine the system’s functionality. The Board noted that workers may fear negative consequences if they refuse, meaning they do not have a genuine choice.

The board said some of the most frequent complaints and notifications it receives have to do with the tendency of institutions and organizations to adopt biometric identification systems in order to digitize employee attendance tracking and enhance security.

The board also noted that since there is no explicit provision specifying how employee hours monitoring should be conducted or requiring that it be carried out through the processing of biometric data, “processing biometric data cannot be accepted as being based on the condition of being explicitly provided for by law.”

Following its analysis, the body has directed that alternative and less invasive methods for tracking working hours such as PIN-based systems, RFID/NFC cards, traditional paper logs, or manual entry under supervision, must be used instead.

Authorities warned that data controllers who continue to use biometric systems for employee attendance monitoring without a valid legal basis could face administrative penalties under Article 18 of the law.

The ruling does not prohibit workplace biometrics altogether, but it raises the bar for employers seeking to justify their use. Organizations will likely need to demonstrate that biometric processing is necessary for a specific security or operational purpose, rather than merely a more convenient way to track attendance.

Article Topics

data privacy  |  data protection  |  face biometrics  |  fingerprint biometrics  |  time and attendance  |  Turkiye