Do I need consent to process employee data?

As a general rule, it is required to obtain explicit consent of the data owner when processing personal data in accordance with the Law on Protection of the Personal Data, numbered 6698 (hereinafter referred to as “Law“). Again according to the Law, an explicit consent must be based on an informed decision, which means the relevant person must be provided sufficient information with regard to the consent he/she is giving.

During the employment term, employer processes personal data belonging to the employees, especially by means of storing. For instance, personnel file must be kept due to obligations in the Labor Law and relevant legislation. Although processing with a valid consent is the main practice, consent is not required when there are exceptions for processing personal data which are foreseen under in Articles 5 and 6 exist of the Law. Some of those exceptions are listed below for explanatory reasons:

• Documents that must be included in the personnel files. It should be noted it is not clear in most of the cases that which documents should be collected into and/or kept in the personnel files.
• Educational records can be processed under the necessity clause regarding the legitimate interests of the data controller.
• Criminal records can only be kept without the relevant persons explicit consent when it is provided in law as it is sensitive data. For some professions such as public servants, criminal record is required.
• Some other data such as the bank account information of the employee is kept because it is necessary for the performance of the employment agreement.

However, in all these scenarios, as a data controller, employer must fulfill the obligation to inform. This informing action may be made verbally or in writing. Taking the evidential hardships into consideration, it is recommended to inform the Employee’s for such data processing in writing.

Personal data concerning health and sexual life may only be processed, without seeking explicit consent of the data subject, by the persons subject to secrecy obligation or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing. For instance, workplace doctors may process the health data without an explicit consent in some circumstances, as their occupational legislation put them under secrecy obligation.

What are the privacy and data protection issues inherent in alcohol / drug testing?

In alcohol/drug testing, the data processed is considered as health data. As per the Law, such data can only be obtained with the explicit consent of the test subject. Also, the employer is under the obligation to provide the employee with an obligation including what method will be used for alcohol and drug testing (blood, urine, etc.), for what purpose these tests are applied to him/her, and what the medical risks are. Also, the employee should be able to challenge and object to the results.

Article 23 of the Civil Code also provides that written consent is required to obtain human-based biological material. Thus, written consent is crucial. However, in the context of Law, the obligation of consent may be problematic since it may be revoked at any time.

In addition, the principle of proportionality must be followed. Only if the nature of the work entails for such tests for legitimate reasons like health and security reasons, the tests are proportional. For instance, testing only the certain employees such as drivers are proportional, but testing all employees may be deemed unproportional and thus the processing may be deemed as unlawful.

How can I legitimately monitor employees’ email, internet usage and social media?

There are no data protection regulations specific to this topic. However, there are decisions from the Personal Data Protection Board and Constitutional Court. According to the mentioned decisions, the employer can supervise the use of email and internet usage of the employee and can also limit those under the employer’s right of management. However, the rights of the employer must be balanced with the employee’s right to privacy and protection of personal data. To investigate such mediums, there must be a legitimate reason such as maintaining efficient performance of the work or avoiding from legal and penal liabilities related to the actions of the employee. Another principle to take into consideration is that the monitoring must be proportional. It must be absolutely necessary for achieving the intended purpose, for such monitoring to be lawful.

The most important point is informing the employee regarding monitoring. According to the Constitutional Court, the consent and informing at the beginning of the employment would be valid as long as the consent is not revoked. Therefore, it is not necessary to take consent before the act of investigating the mail, internet search history etc. A practical approach to satisfy the informing condition would be to add a provision that is explaining that the employer has the right to monitor the employee’s electronical devices etc, without prior announcement.

What are the limits of using artificial intelligence in employment?

We can define AI in this context as a function that gets data as input and forms decisions and analyzes by processing this data. Employers can use AI as an aid or sole decision-maker in topics such as performance evaluations, promotions, redundancies. AI can also be used in identification and monitoring systems.

In Turkish Data Protection, use of AI is not prohibited. Therefore, it is possible to use AI in the workplace within the limits of general data processing regulations. However, the principles of data minimization and transparency are especially important since due to the nature of AI requiring more and more data to perform better and the “black-box” problem (meaning while the input and the output is apparent, the underlying processes being opaque), these principles are easy to violate.

Law provides the right to object to decisions that are against the person himself/herself which are made by analyzing the data processed solely through automated systems. The bias problem in AI should also be considered as AI might make biased decisions based on the data it processes and might cause discrimination in the workplace. Thus, a human supervisor should be added to the decision-making systems to mitigate these risks.

The Turkish Data Protection Board published the “Recommendations for the Protection of Personal Data in the Field of Artificial Intelligence” as a guiding document. The Board, in addition to the principles of protecting human rights, social and ethical values, emphasizes that a data protection compliance program specific to the AI project must be implemented in order to comply with the personal data protection requirements. Other than that, if the risk is predicted to be high regarding the personal data, a privacy impact assessment should be made to decide the legality of the processing activities. Whenever possible, anonymized data must be fed to the AI instead of personal data.

As the use of AI increases, the violations and thus the regulations about the topic will undoubtedly increase. For now, the general principles of data processing and the Recommendations for the Protection of Personal Data in the Field of Artificial Intelligence, published be the Data Protection Board must be abided by.

What are the data protection issues in whistleblowing?

Unlike EU and its Directive regarding creating an internal due diligence system for whistleblowing in the workplace, there are no such regulation under Turkish Law, but the case law is being formed as the days pass by, taking the intertwined nature of the global and local actors and global regulations for whistleblowing into consideration. As for the time being, the High Court of Appeals seems to be somewhat in favor of the whistleblowers. It can be said that the right (maybe duty, in accordance with the characteristics of the incompatibility) of the employee to report unjust and/or unlawful acts of the company outweighs the employee’s loyalty obligation to the employer, however this should be evaluated separately in each case, taking case’s properties into consideration. This seems to be the common evaluation for whistleblowing cases in Turkiye for now, as the lack of a special regulation on whistleblowing dictates an evaluation on a case-by-case basis.

No specific systems that encourage and protect the whistleblowers are enacted, and the relevant data privacy issues should be evaluated according to general principles.

There are several aspects to whistleblowing about the data protection. When a report is submitted to the employer, processing such report causes date to be processed. Therefore, in accordance with the general principles for data processing; only relevant data for the reported issue should be kept complying with data minimization, and the data should be stored only for a reasonable time, such as the time necessary for internal examination, etc.

It is crucial to keep the identity of the whistleblower confidential, as the opposite may give way to retaliation, and it might be necessary to alter the data accordingly. However, the rights of the accused should also be taken into consideration as a data subject. The accused must be informed that their data is being processed, as Law provides an obligation to inform, but this may hinder the possible investigation. Hence a delicate balance should be kept, taking every cases’ characteristics into consideration. The accused also has the right to access such data, which may cause conflict with the whistleblower’s rights. The right of access by the accused can be maintained by omitting the data which might hinder the rights of the whistleblower.

Another practical solution may be to inform the employees regarding the whistleblowing system established at the employer. This may prevent the requirement to inform the accused if a complaint is submitted about the accused, and provided that the informing obligation is satisfied regarding such employee.

It is also worth noting that Law provides exemptions in certain situations. For instance, the obligation to inform is not applicable when data processing is necessary for the prevention of a crime or for crime investigation. With the application of this provision, reports may be kept confidential, especially from the accused person. It is also possible not to provide the accused with the right to access and other rights of the accused such as the right request the erasure of data, when the data are being processed by judicial authorities or execution authorities regarding investigation, prosecution, judicial or execution proceedings.