KVKK Prohibits Biometric Data Processing for Employee Attendance Tracking

The Turkish Personal Data Protection Board (KVKK) has issued a binding Principal Decision No. 2026/921, dated April 29, 2026, and published in the Official Gazette on June 2, 2026 (Issue: 33268), strictly prohibiting the use of biometric identification systems for employee attendance tracking.

This ruling requires immediate attention from all foreign and domestic employers operating in Türkiye who currently utilize fingerprint scanners, facial recognition, or iris tracking systems to monitor employee working hours. As institutions turn to digitalization, the KVKK has intervened following numerous notices and complaints regarding this practice.

1. Legal Definitions and the Nature of Biometric Data

Under Article 6 of the Personal Data Protection Law No. 6698 (the Law), biometric data is strictly classified as "special category personal data". The categories of special nature are explicitly limited by the legislator and cannot be expanded by analogy.

The decision outlines how biometric data is defined across different legal frameworks:

• National Legislation (Population Services Law No. 5490): Defines biometric data as unique personal data obtained from fingerprints, vein prints, and palm prints to enable electronic identification and verification.
• European General Data Protection Regulation (GDPR): Broadens the definition to include physical, physiological, or behavioral characteristics resulting from specific technical processing that uniquely identifies a natural person.
• Examples of Biometrics: The KVKK notes that fingerprints and retina/iris data are physiological; facial and hand geometry are physical (visible); while voice tone, signature dynamics, and keyboard usage habits are behavioral biometrics.

Because biometric data is highly sensitive and irreversible (it cannot be changed or retrieved if compromised), its protection is of utmost importance to prevent potential security breaches or personal victimization.

2. The Problem with "Explicit Consent" in Employment

Article 6 of the Law prohibits the processing of special category personal data unless specific conditions are met, such as explicit provisions in laws or the explicit consent of the data subject. Employers must also take adequate security measures determined by the Board's 2018/10 decision.

Because no specific employment laws mandate biometric tracking, employers have heavily relied on obtaining the "explicit consent" of their employees. However, the KVKK has ruled this invalid for the following reasons:

• Power Imbalance: Explicit consent must be informed, specific, and based on free will. In an employer-employee relationship, there is a structural power imbalance that compromises the voluntariness of consent.
• Lack of Free Will: If an employee cannot effectively refuse or withdraw consent without facing potential negative consequences, they do not have a genuine choice. Therefore, the consent is not based on free will.
• Operational Conflict: Allowing employees to freely withdraw consent would ruin the continuity and applicability of a biometric tracking system. Thus, relying solely on explicit consent is not a sufficient legal ground.

3. Lack of Legal Basis in Labor Law

While the Turkish Labor Law No. 4857 (specifically Articles 63, 67, and 75) and related regulations legally require employers to announce working hours, keep personnel files, and document working times, they do not explicitly authorize the use of biometric identification systems to fulfill this obligation. Without a clear statutory provision, processing biometric data for this purpose is deemed unlawful.

4. Violation of the Proportionality Principle

Even if explicit consent were somehow valid, the KVKK asserts that biometric attendance tracking fundamentally violates the "General Principles" outlined in Article 4 of the Law. Personal data processing must be connected, limited, and proportionate to the purpose for which it is processed.

• Necessity & Alternatives: Data processing must use the least intrusive method possible. There are numerous non-biometric alternatives available, such as encrypted/PIN-based cards, traditional signatures, paper-based sheets, RFID/NFC identity cards, or manual entry under supervisor oversight. The existence of these alternatives proves that biometric processing is not necessary.
• Disproportionate Intervention: Attendance tracking is a limited administrative goal. Using highly sensitive, irreversible biometric data for a mere administrative task disrupts the reasonable balance between the intervention and the legitimate aim.
• Risk of Misuse: The potential for this sensitive data to be combined with other systems or misused further solidifies that biometric tracking violates the proportionality principle.

5. Precedent High Court Decisions

The KVKK highlighted two major high court rulings to support its decision:

• Constitutional Court (AYM): In a March 10, 2022 decision (App No. 2018/11988), a civil servant sued a municipality over fingerprint tracking. The AYM ruled that because the State Personnel Law and Municipality Law contained no provisions for biometric tracking, the practice violated the right to demand the protection of personal data.
• Council of State (Danıştay): The 12th Chamber (Decision 2021/3870 E., 2023/2548 K.) and the Plenary Session of Administrative Law Divisions (Decision 2024/225 E., 2024/2625 K.) annulled a palm vein reading system used by an enterprise. The Council referenced previous KVKK rulings, emphasizing that processing special category data must strictly follow the proportionality principle and avoid unnecessary data collection.

6. Final Ruling and Sanctions

The KVKK formally concluded that biometric data processing for attendance tracking lacks a valid legal basis, fails the proportionality test, and cannot be salvaged by employee consent.

Mandatory Action: Employers must abandon biometric systems for attendance and transition to alternatives like PIN systems, RFID/NFC cards, or traditional signatures. Approved alternatives for monitoring employee attendance include:

• PIN-based or encrypted card systems.
• RFID/NFC identity cards.
• Traditional signature and paper-based attendance sheets.
• Manual entry under supervisor oversight.

Sanctions: Under Article 12, data controllers are obligated to ensure data security and prevent unlawful processing. Because the violation is widespread, the Board issued this Principal Decision under Article 15(6). Employers who fail to comply with these rules will face administrative actions and penalties under Article 18 of the Law.

Frequently Asked Questions (FAQs)

Can we continue using fingerprint or facial recognition scanners if our employees sign detailed, written consent forms?

No. The KVKK has definitively established that explicit consent in an employment relationship is structurally flawed due to power imbalances. Employees might fear negative consequences if they refuse, meaning their consent is not freely given. Furthermore, even with valid consent, the practice fundamentally violates the proportionality principle regardless of consent.

Does Turkish Labor Law require us to track attendance using biometrics?

No. While the Labor Law No. 4857 and related regulations require employers to document and track working hours and maintain personnel files, there is no explicit legal provision that mandates or authorizes doing so via biometric systems.

What exactly counts as "biometric data" under this decision?

Biometric data includes physiological data (fingerprints, retina/iris scans, vein prints, palm prints), physical data (facial recognition, hand geometry), and behavioral data (voice tone, signature dynamics, keystroke habits).

We use facial recognition for building access and security, not just attendance. Does this decision apply?

This Principal Decision specifically addresses biometric data processing for the purpose of "attendance tracking" (mesai takibi). However, the Board's strict interpretation of the proportionality principle indicates that using biometrics for general office access carries severe compliance risks. Turkish law requires adopting the least intrusive method to achieve a legitimate aim.

Are there any exceptions to this rule?

The current decision does not outline industry-specific exceptions for attendance tracking. The ruling is rooted in the fundamental principles of the Law No. 6698, specifically the requirement that data processing must be limited, relevant, and proportionate to its purpose.

What alternative methods are legally acceptable for tracking employee attendance?

The KVKK explicitly lists several acceptable, less intrusive alternatives. These include encrypted or PIN-based card systems, RFID/NFC identity cards, traditional signatures and paper-based attendance sheets, or manual entry under the supervision of a controller.

What steps must our local HR and compliance teams take immediately?

Employers must immediately cease using biometric systems for recording employee entry, exit, and working hours. Companies must transition to the alternative tracking methods explicitly endorsed by the KVKK, such as RFID cards or PIN systems.

What happens if a company continues to use facial recognition or fingerprint scanners for attendance?

Failure to implement the necessary administrative and technical measures to stop this practice is a violation of Article 12 of Law No. 6698. The KVKK has declared that data controllers who do not comply will be subject to enforcement actions and administrative fines under Article 18 of the Law.