With the decision (“Decision”) dated 10.03.2022 and application numbered 2018/11988, published in the Official Gazette dated 19.04.2022 and numbered 31814, in the case of the employee is tracked by using the fingerprint recording system, the Turkish Constitutional Court has evaluated whether the use of fingerprint complies with legal regulations and has reached a conclusion that the right to request the protection of personal data within the scope of respect for private life, which is guaranteed in Article 20 of the Turkish Constitution, has been violated.
In this decision, the Constitutional Court (“Court”) has decided that fingerprint is certainly biometric data because it is different in each individual and contains personal information that will allow the biological diagnosis of the person. In addition to this, both within the scope of the Constitution and the Law on the Protection of Personal Data No. 6698, the Court has examined whether accessing, using, and processing this information constitutes an interference with the right to request the protection of personal data within the scope of the right to respect for private life, by considering that fingerprint is within the scope of information about a certain natural person.
In the concrete case, the applicant works as a public officer in a municipality and the administration records the applicant’s fingerprint and tracks the shift with the fingerprint tracking system. Accordingly, the applicant filed a lawsuit demanding the annulment of the aforementioned administrative act by claiming that the fingerprint recording system violated the right to request the protection of personal data within the scope of respect for private life. The Court of First Instance ruled to annul the administrative act, emphasizing that the applicant’s shift control with the fingerprint scanning system should be evaluated within the scope of the processing of personal data within the scope of the right to respect for private life because there is no detailed regulation in the Public Officers Law No. 657 on the control of the attendance status of public officers, it is a constitutional obligation to have a legal basis for the restriction of fundamental rights and at the same time it is one of the basic principles of the European Convention on Human Rights.
Administration applied to appeal against this decision and stated that the fingerprint system and the shift tracking served the purpose of supervising whether the personnel complied with the shift, do not violate the right to respect for private life and that the recorded fingerprints are kept in the personnel file and are not used in any other process. The Regional Administrative Court has ruled that there is no violation of the legislation in the shift tracking by recording fingerprints, since the applicant is obliged to continue working shift and the administration is obliged to control and supervise it. In addition, the Regional Administrative Court stated that the use of technological systems by the administrations in order to facilitate the effective and efficient execution of public services is in line with the public interest and service requirements. Following the decision of the Regional Administrative Court against the applicant, the applicant made an individual application to the Turkish Constitutional Court.
In this context, the Court stated that there is no doubt that the applicant’s fingerprint could be qualified as personal data and that the processing of the personal data in question constitutes an interference with the right to request the protection of personal data within the scope of respect for private life, which is guaranteed in the third paragraph of Article 20 of the Turkish Constitution. The Court examined this interference within the criteria of being foreseen by the law, having a legitimate aim, not being contrary to the requirements of the democratic social order and the principle of proportionality, as stipulated in Article 13 of the Constitution.
The Court pointed out that it is clear that according to Article 20 of the Constitution, personal data can only be processed in cases stipulated by the law or with the explicit consent of the person. Accordingly, it emphasized the fact that according to Article 6 of the Law on the Protection of Personal Data, sensitive data other than personal data related to health and sexual life can be processed in the presence of the person’s explicit consent. The Court stated that the only exception to this rule is that it is stipulated in the laws, as well. However, it stated that in the aforementioned regulation, the shift order of the institutions or organizations is not among the reasons for data processing without seeking explicit consent. Therefore, the Court pointed out that in order to record and use the fingerprints of public officers within the scope of sensitive personal data, this situation should be regulated separately and explicitly by law or the explicit consent of the public officers should be obtained.
In this respect, the Court stated that in the case of processing sensitive data based on the explicit consent of the employee, primarily, the principle of legality must be met in the context of Article 13 of the Constitution. Meanwhile, the Court emphasized that, in order to be able to mention the existence of explicit consent, it is imperative that the employee be adequately informed beforehand about the scope, purpose, limits and consequences of the personal data to be processed. However, it stated that within the scope of the administration’s control and management authority, these methods can be applied, as a rule, in the absence of a legitimate aim, less interference with rights and freedoms and no other suitable way to achieve this aim, and limited to the purpose. In this context, the Court also drew attention to the fact that constitutional guarantees that will protect the rights and freedoms of the employee should be provided by the administration in case methods involving the processing and sharing of personal data are used in the workplace.
On the other hand, the Court stated that in the absence of explicit consent for the processing of the personal data of the employee, sensitive personal data can be processed only in cases expressly stipulated by the laws and in this direction, it made an evaluation by examining the Public Officers Law and the Municipality Law. In this regard, the Court stated that there is no clear regulation in the Public Officers Law regarding the control of the employee’s attendance status and the processing of sensitive personal data for this purpose and also stated that in the Municipality Law, the mayor has the authority to manage the municipal organization, but there is no regulation for the processing of sensitive personal data within the scope of this authority.
Within the framework of the above-mentioned issues, the Turkish Constitutional Court decided that it is clear that there is no regulation in the legislation that determines the basic principles regarding the processing of sensitive personal data and the use of biometric data-based tracking systems for the purpose of shift tracking or employee supervision. Also, in the concrete case, the Turkish Constitutional Court decided that the applicant did not give explicit consent for the processing of his sensitive personal data, therefore the intervention subject to the application did not meet the requirement of legality and the right of the applicant to request the protection of personal data within the scope of the right to respect for private life has been violated.
You may access the Decision by this link.
To see our other articles, you may follow the NSN Bulletin via the link.
Authors: Bilge Derinbay, Aysu Eren Yüce