The purpose of this article is to give a brief summary of the privacy, data protection and data use in employment specifically in terms of hiring and on-boarding process under Turkish Labour Law (“Labour Law”) and Personal Data Protection Law (“PDPL”) from an employer perspective.

According to PDPL, personal data is defined as any information relating to an identified or identifiable real person. Data such as photos, identification information, phone numbers, e-mail addresses will be considered as personal data and the storage process in question will be considered as personal data processing activity.

Companies are keen to collect more information about the employee candidate for evaluating whether he/she is the right person for the position. Even though PDPL provides no specific rules in the employment context, it is crucial to determine the rules for the processing of employee candidates’ personal data by taking Turkish Labour Law, Personal Data Protection Law and applicable legislation together.

How do I handle the issue of background checks, including those involving sensitive personal data such as criminal records?

Background check is a common way for a company to learn more about an employee candidate. In most circumstances, since the company can decide whether to enter into an employment contract with a candidate at the recruitment stage even without background check information, it will be arguable to consider that background check information of the candidate is necessary for conclusion of an employment contract.

Having said that, it should be underlined that, there is no law that specifically regulates conducting background checks on employee candidates. However, PDPL and the Labour Law should be taken into consideration when conducting these background checks. For background checks that concern the candidates’ sensitive personal data such as health, criminal records, political opinions, association or foundation memberships or any other sensitive personal data, the candidates should be informed, and their prior consent is required. However, for background checks concerning the candidates’ previous work experience, educational background or any other non-sensitive personal data consent may not be required.

By taking the above into consideration, it should be kept in mind that such records cannot be used for discriminatory purposes and in any case the employer must process the personal data lawfully ensure the security of the personal data, in accordance with PDPL and the applicable legislation.

Are there particular issues in checking candidates’ social media profiles?

There is no specific regulation in relation to checking on candidates’ social media profiles. Furthermore, to the best of our knowledge there is no court decision in that respect. Hence, the issue is not crystal clear. Nevertheless, PDPL and the Labour Law should be taken into consideration while determining the limits and methods of checking candidates’ social media profiles.

In most cases, social media functions as an open area that is available for the search on the potential employees including substantial information on their background. Hence, it is an encouraging subject for the employers when it comes to finding out the content and information provided by the candidates.

As for carrying out a search on the candidates’ social media profiles, it is substantial to request the relevant information (i.e., social media profile information) directly from the candidates (via online application platform) unless it is provided by the employee on his/her CV. Hence, carrying out a search on the private information without the candidates’ consent is not advisable. Carrying out a background search is arguable, if the employee’s profile is not open and available for anyone checking it. We are of the view that in such a case, the employer should act prudently and refrain from carrying out a search.

In any case, information provided by candidates through social media platforms should not be used as a discriminatory tool when assessing the candidates during the recruitment process.

To be on the safe side we are of the view that the employer should ask for the consent of the candidate for carrying out on candidates’ social media accounts. Nevertheless, the risk would be low in the event that candidates’ social media accounts are open to the public.

Can I ask candidates about their Covid19 vaccination status?

Yes, however, under PDPL, health data is deemed to be the sensitive personal data. Therefore, an employer cannot ask whether its applicants have been vaccinated without having their explicit consent regarding the retention and processing of this health data.

However, it would be possible to ask the question if (but not risk free for an employer): (i) the question is asked and the data is collected on a completely anonymous basis, without it being possible to link the answers back in any way to the relevant applicants; and (ii) as long as it is made clear to the applicants that the question is being asked on this basis. However, there still remains a risk if someone could find out the relevant employee’s identity; for example, by checking the employer’s records.

Are employees entitled to lie or to omit information; if information is subsequently found to be false, what can I do?

During the recruitment process, the employer often requires the employee to provide certain information on the employee’s skills and qualifications such as the employee’s age, educational background, foreign language skills, work experience, etc. Accordingly, the employee should provide the relevant information which would constitute a part of the contract. The employee shall provide accurate information. Failure to do so would entitle the employer to terminate the employment contract unilaterally and rightfully.

Under Turkish Labour Law, an employer may terminate an employment contract with immediate effect (i.e., without a notice), provided that such termination is based on rightful reason. I such a case, employer is not obliged to pay a statutory severance pay or payment in lieu of notice.  

In connection with the above, if the employee misled the employer by providing the employer with substantial information on his/her background and qualifications such as having a degree, ability to speak a foreign language etc. then this would cause a rightful reason for the employer to terminate the employment contract.

How should I deal with the personal data of unsuccessful candidates?

In principle, any personal data shall be erased, destructed or anonymised by the controller, ex officio or upon demand by the data subject, upon disappearance of reasons which require the process unless otherwise allowed by PDLP. The obligation of the controller is to erase, destruct or anonymise personal data in cases where the reason for processing disappears. It is not necessary for the data subject to separately apply for this.

The Data Protection Board (“The Board”) has issued the Regulation on Erasure, Destruction and Anonymisation of Personal Data (“Regulation”). Under the Regulation, every data controller must prepare and put into force an internal policy for the erasure, destruction and anonymisation of personal data. This internal policy should create a regular monitoring system for the entire personal data kept by the data controller. Regular monitoring should be made at intervals of six months or less. At each monitoring session, the data controller must determine whether the legal grounds for keeping the personal data are still in place. If there is any personal data for which there is no legal ground for keeping, the relevant personal data must be erased, destroyed or anonymised.

In connection with the above, the employer can keep the details of unsuccessful candidates on file, provided that it complies with its duties in relation to the retention of personal data under the Turkish data protection legislation. There are no pre-defined general periods envisaged for the retention of specific categories of data. Thus, the main rules and principles set forth regarding data processing activities within the PDLP must be taken into consideration in order to determine lawful retention periods for the processed personal data. In that regard, it is advisable to inform and obtain the consent of the employees for keeping their personal data to be used for potential hirings in the future.