The Board’s Decision dated 16.12.2021 and numbered 2021/1258 on the unlawful processing of personal data by the data controller company whose employment contract has ended
The following issues were briefly mentioned in the complaint petition, which is the subject of the Board’s Decision:
- When the data subject applied to the data controller company for her/his personal data, the data subject realized that the company did not have an application form; also, the application methods were not informed to the data subject;
- The obligation of the data controller to inform has not been fulfilled in accordance with Law;
- The sensitive personal data of the data subject has been processed without her/his explicit consent;
- It is entered into the data controller company with a fingerprint and face scanning system;
- The data controller has branches abroad of different companies of the group company, and when the data subject visits the foreign branch, her/his personal data is transferred abroad without her/his explicit consent;
- Sufficient technical and administrative security measures are not taken for the personal data of the data subject;
- The data controller company does not have a privacy policy on its website.
In this regard, it was requested by the Board to take necessary action.
In the letter sent by the data controller to the Board upon the complaint of the data subject, the following issues were addressed:
- The company keeps the personal information of all employees in accordance with the measures in the Law.
- All the allegations made in the petition “that there is no application form when an application is made for personal data, that the methods of application are not notified, that the obligation to inform is not fulfilled” are all untrue;
- From the expressions in the article titled “Processing and Protection of Personal Data” of the employment contract signed by the data subject, it can be seen that the company fulfills its obligation of informing;
- The privacy notice is also published on the address, which is a social network established by the company only for its own employees, and this privacy notice contains detailed information on how to apply for personal data and methods of application;
- A fingerprint and face scanning system is used to ensure the safety of the company and its employees, and fingerprints are also taken from the data
subject in this context; after identification, these data are not shared with third parties and are used in accordance with the Law and to a limited extent, apart from these, there is no sensitive personal data processed by the company belonging to the data subject;
- There is no personal data of the data subject to be transferred abroad;
- It is not possible to accept the allegations that adequate technical and administrative security measures are not taken for the personal data put forward in the complaint petition and that there is no privacy policy on the data controller’s website. The data controller claims that all necessary technical and administrative security measures to protect the personal data of its employees and customers have been taken.
As a result of the investigation carried out on the subject, the Board has stated that the data controller has noted that the application form and the privacy notice are included in a social media platform that only company personnel can access. Still, this application form is not included in the appendix of the defense petition. The privacy notice only includes its image on the platform in the appendix of the defense petition. The article of the employment contract signed by the data subject, which is claimed to replace the privacy notice, has been written in the form of a mixed text, which contains statements both for information and for obtaining explicit consent from the data subject, and which does not fully include the minimum elements that should be included in the privacy notice and explicit consent. For this reason, the Board has decided that the formal informing is not done in accordance with the procedure since the obligation to inform and the requirement of obtaining explicit consent to be fulfilled separately are not met. However, the Board has decided that the Decision of the data subject on whether to give explicit consent for the processing of sensitive personal data cannot be said to be based on free will since an article was added to the employment contract in order to obtain the explicit consent of the data subject regarding the processing of sensitive personal data, and the explicit consent was submitted in conjunction with the employment contract. The Board also has decided that the reason for processing the data subject’s fingerprint and face scan data was disproportionate to the need to ensure the security of the company employees, which the data controller stated. While it is possible to achieve the same purpose with methods such as magnetic card readers and checklists that do not require the processing of biometric data, it has been decided that biometric data processing by the data controller is not in accordance with the principle of proportionality, one of the general principles of the Law by the Board. At the same time, it was stated in the Decision that data controllers are obliged to fulfill the obligation of informing within the scope of the Law, but it is stated that there is no obligation in the Law and other legislation regarding the preparation of a privacy policy by data controllers. Accordingly, the Board has decided to impose an administrative fine of 125.000 Turkish Liras on the data controller.
You may access the Decision by this link.
To see our other articles, you may follow the NSN Bulletin via the link.
Authors: Bilge Derinbay, Hande Ülker Pehlivan, Bengisu Çakırca
Contact: bilge.derinbay@nsn-law.com