Güner Law Office | View firm profile
In the decision of the Constitutional Court Decision dated March 10, 2022 and numbered 2018/11988 published in the Official Gazette dated April 19, 2022 and numbered 31814 rendered as per the “Ramazan Şahin Application”, it was decided that the right to demand the protection of personal data within the scope of the right to respect for private life has been violated due to the tracking of his presence at the workplace with a fingerprint registration system.
I. SUMMARY OF FACTS
The fingerprint of the Applicant, working as a civil servant at the Söke Municipality (“Institution”), was recorded by the Institution upon the Institution having started to implement a fingerprint employee attendance tracking system at the workplace. The Applicant filed an objection with the Institution regarding the said practice, stating that the fingerprint is personal information that enables the physical identification of an individual. Upon the Institution’s rejection of the request, the Applicant filed a lawsuit at the Court of First Instance requesting the annulment of the administrative act. The Applicant’s attorney stated that there is no regulation in the legislation regarding the monitoring of personnel’s attendance, the Institution cannot guarantee how the recorded and stored data will be used or whether these records will be shared with other individuals and institutions, the said practice should be evaluated within the scope of privacy, and the consent of the Applicant and other personnel was not obtained for the implementation of this system. The Court of First Instance has accepted the lawsuit.
Upon the Institution’s application for appeal, the Applicant reiterated his previous statements and stated that personal data can only be processed in cases stipulated by the law or with the explicit consent of the person, the legal basis for the application is not certain and there is not sufficient assurance that the collected data will not be used in any other way. However, the Court of Appeal accepted the application of the Institution and decided to reject the case definitively. In the reasoning of the decision, it has been stated that the use of technological systems by the administrations in order to facilitate the effective and efficient fulfillment of public services is in line with the public interest and service requirements.
II. ASSESSMENT OF THE CONSTITUTIONAL COURT
Referring to the applications of Serap Tortuk and Nurcan Belin, the evaluation of the Applicant’s claim was based on the 1st and 3rd paragraphs of Article 20 of the Constitution, titled “Privacy of private life”. It has been emphasized that the State is obliged not to arbitrarily interfere with the private and family life of individuals and to prevent unjust attacks by third parties. It has been further emphasized that within the scope of the right to respect for private life, the individual has the right to privacy and this right includes the legal interest of the individual to control the information about himself. With reference to the E.U. application, it has been pointed out that personal data means all information relating to a person, and all data that makes the person identifiable, directly or indirectly, are within the scope of personal data.
At this point, it has been also emphasized that there is a limited number of categories of sensitive personal data and that their processing is subject to stricter conditions compared that of general personal data. It has been stated that the fingerprint is biometric data and, in this context, sensitive personal data, since it contains physiological information that belongs only to that person and helps to identify the person’s identity directly. Therefore, it cannot be processed (i) without the explicit consent of the person, (ii) if the conditions set forth in the Personal Data Protection Law are not met, or (iii) without any other explicit legal provision; and in the present case, it was determined that these conditions were not met. In addition, it was emphasized that the clear provision under the law must be articulated in a manner determining the basic rules and principles related to the subject regarding the limitation of fundamental rights and freedoms.
It has been highlighted that in order to implement methods such as the personnel tracking system by way of recording biometric data, within the scope of the administration’s supervision and management authority, the conditions such as the existence of a legitimate aim, the absence of another suitable way to achieve the aim that interferes less with rights and freedoms, and the implementation to be limited with the purpose must be met. Again, it has been pointed out that if such methods are used in the workplace, constitutional guarantees that will protect the rights and freedoms of the employees should be provided by the administration.
Upon the examination of the legislation, it has been stated that there are regulations regarding the working hours of civil servants and the determination of the start and end of daily working hours, but there is no clear regulation regarding the control of the employee’s attendance status and the processing of sensitive personal data for this purpose. In addition, it has been determined that the Applicant does not have explicit consent for the collection, processing and/or backup of fingerprint data, which is sensitive personal data. For the reasons explained, it has been concluded that the right to request the protection of personal data within the scope of the right to respect for private life has been violated due to the processing of sensitive personal data by the administration without any legal basis.