• Protection of Personal Data within the Scope of Labor Law
  • August 15, 2017
  • Protecting private lives has become a natural need in the age of technology in which almost every place is equipped with cameras and where information, images, and ideas can be shared easily and without boundaries. Within this context, the legal regulations on the protection of personal data have a very wide scope of application by penetrating every branch of law in which real persons are involved. This branch, which is developing in our country, is a leading topic that should be taken into consideration immediately in terms of employers. In this article, we shed light on the obligations of employers within the framework of Law No. 6698 on Protection of Personal Data ("LPPD") and related legislation.
    The LPPD regulates, in detail, the data subject, data responsibility, data processing conditions, exceptions, and the rights of data subjects, and defines general and private data1. The LPPD, which was drawn from Article 20 of the Constitution and from the International Contracts2, has constituted the field of application of the obligations laid down in Article 419 of the Turkish Code of Obligations and Article 75.2 of the Labor Law. Within this context, employers who are deemed as data supervisors will need to pay attention to the following rules when obtaining, using, storing, and submitting their employees' information.
    Confidentiality Obligation
    As clearly laid down in Article 75.2 of the Labor Law, "The employer is obliged to use their employees' information in accordance with the principles of fairness and law, and not to disclose the confidential information in case the employee has fair advantage." The LPPD has placed an express consent3 rule through this regulation and has begun to seek an express consent to acquire, process and transmit the data and granted a great importance to this consent. Within this context, the employer shall not share data to the third party without the consent of the employee anymore, and without exception, s/he shall keep the information secret without any subjective evaluation4.
    Enlightenment Requirement
    The employers or the persons they authorize are obliged to inform the employees and the candidates while collecting personal data with regard to the method and legal reasons for collection, the place where the data will be retained, the persons who have access to the data, and to whom this data might be transferred. In addition, upon their employees' and candidates' requests, the employers must enlighten them about where they used, and to whom they transferred, any personnel data. Within this scope, the employers have to correct the wrong and/or incomplete information and keep the records updated.
    Data Transfer Abroad
    In multi-national companies, if foreign shareholders have access to data kept by companies, these countries shall be announced to employees and candidates, and a written statement to release such data shall be obtained from them. The LPPD also seeks special assessments of the target country when personal data is transferred. In addition, the relevant countries should be safe, otherwise the parties should ensure that the data is in secure, and the Board of Protection of Personal Data ("Board") shall give permission within this scope. In the upcoming period, a list of safe countries will be announced by the Board, and the procedure for permission will be clarified.
    Obtain Data Only in the Scope of the Purpose
    Employers collect all kinds of information about their candidates and keep this data in their records. However, the LPPD clearly regulates that only necessary information that is useful for a significant purpose may be obtained, and that this information can be used and kept only within the scope of this specific aim. Therefore, employers may only reserve the obligatory data related to fulfilment of the mission and to the employees' capabilities. Other types of information retained by the employers shall cause liability issues.
    Within this scope, employers may no longer request the candidates to provide salary information concerning their previous jobs, or their criminal records, and they cannot ask whether the candidates smoke or drink alcohol, or are expecting to marry or have a baby, or not. However, if the workplace or qualification of the job requires this information, then such questions may be asked. For instance, a driver may be asked if he has been subject to a traffic crime, or an accountant's assets may be investigated5. Otherwise, these kinds of questions shall be a breach of the LPPD. As well, since these questions cause discrimination, and are against the principle of equality, they shall be deemed as invalid.
    Provide All the Necessary Precautions for Data Protection
    Companies reserve all kinds of information in their computers. Hence, employers shall provide an appropriate level of safety in order to prevent the illegal use of data and the access of third persons to them. Within this purpose, employers shall protect their employees'/candidates' information with a high-level virus program, and take all the necessary precautions against a cyber-attack. Naturally, employers can outsource this mission; however, pursuant to the Article 12.2 of the LPPD, their responsibility remains in the event of a breach.
    Exceptions to Obtain a Written Statement within the Scope of the Labor Law
    Article 5.2 of the LPPD sets forth the exceptions where a written statement is not necessary. Although these facts can be observed frequently in the Labor Law, we would like to warn employers that they should not trust these exceptions only, and should act prudently while categorizing the data they have.
    The most frequent exemption in the Labor Law shall be the data shared during workplace investigations. In this case, personal files may be submitted to such inspectors without the written consent of the employees. However, it is crucial for the employers that they share only general information, not private information, such as the employee's race, ethnic origin, political and/or philosophical view, religion or other personal beliefs, appearance, membership of an association and/or syndicate, health, sexual orientation, criminal records, and biometrics and genetic data. Private information can be shared only with the express approval of the employees, even though the conditions of an exemption are observed.
    On the other hand, the employers can submit their employees' data without written consent to institutions in order to fulfill their legal obligations, such as paying their employees' social premiums and/or taxes. For instance, employers can share bank account details of their employees with banks in order to pay their salaries, and they shall give the social security number in order to commence the social insurance payments for their employees.
    In addition, the LPPD does not seek for written consent for the use of personal data which is disclosed by persons, themselves. Within this scope, an employer can keep and use the information which is shared through the internet by its employee. However, it appears that the field of application of this provision will be shaped in line with jurisprudence, since social media accounts are deemed as a private zone, and profiles are limited, it will cause a breach to the confidentiality of private lives and the provision of the LPPD, when employers who are not in the contact list of their employees, monitor their employees and use the outcomes against them.
    Registration with the Registry of Data Supervisor
    The LPPD regulates a Registry for Data Supervisor; however, this registry has not yet been created.
    Elimination of The Employer's Remaining Data
    As mentioned, above, pursuant to the LPPD, employers cannot archive information unless it is legally necessary. Therefore, the CV's of candidates who have not been employed, should be deleted or anonymized, and should not forward the same to other employers without the written consent of the candidates. The employers shall delete or anonymize the data of the persons who have resigned from employment, as the case may be, at the end of the statute of time limitation considering a possible litigation, and/or at the end of the legal retention period (for example, the documents regarding health controls should be kept for 15 years). The information regarding employees' habits, emotional, social, economic structures, and characteristics must be destroyed. The employees shall be entitled to demand the erasure of this data, as well. This right is defined as "the right to be forgotten" in doctrine6.
    Policy Formulation
    Temporary Article 2 of the LPPD grants time until 26.03.2018 in order to fulfill the abovementioned obligations. Within this period, employers should make comprehensive archive surveillance, categorize their data as general or special, determine how to protect them, and who may have access to them, and keep them confidential with high-level precautions. They should state the unnecessary information in line with the abovementioned principles and erase them, and/or obtain written consent that the LPPD foresees, from the owners. Finally, in order to ensure that the system works smoothly, they should audit their workplace regularly. In addition, it can be beneficial to create a drill plan against a risk of a cyber-attack.
    Sanctions
    Pursuant to Article 135 of the Turkish Criminal Code, the employers who obtain and keep personal data by breaching the abovementioned provisions, shall be imprisoned from one to three years. The sanction shall be increased by one-half if the data is subject to special information. In addition, Article 17 of the LPPD regulates the reasons for administrative fines. In accordance with this article, breach of the obligation to inform the employees may cause fines to be imposed of TRY 5.000 up to TRY 100.000; breach of the obligations regarding data security may cause fines to be imposed of TRY 15.000 up to TRY 1.000.000; breach of the decisions of the Board regarding complaints of the employees may cause fines to be imposed of TRY 25.000 up to TRY 1.000.000; breach of the obligation to notify and to register with the Data Supervisors Registry may cause fines of between TRY 20.000 up to TRY 1.000.000 for administrative fines. In addition, it should be emphasized that in the group or affiliate companies, each company who determines the purposes of the usage of data and who organizes the records shall be deemed as Data Supervisor and shall be liable for their acts, individually.
    Conclusion
    Employers should eliminate the data they have in their system immediately, should obtain written consents from the relevant employees and from now on, should limit themselves to specific purposes while obtaining information from their candidates and/or employees. They should adapt their workplace organization in accordance with the LPPD, should educate their personnel immediately, as well as audit their system frequently. Within this scope, employers should determine whether the data to be obtained is actually necessary, useful and relative for the fulfilment of the contract and/or performance of the employee's mission, as a reflex; otherwise, employers shall be faced with considerable fines after 26.03.2018.
    1 For detailed information please see: http://www.erdem-erdem.av.tr/publications/law-post/personal-data-protection-under-turkish-and-european-legislation--ii/ (Accessed on 01.08.2017).
    2 For detailed information please see: http://www.erdem-erdem.av.tr/publications/law-post/personal-data-protection-under-turkish-and-european-legislation/ (Accessed on 01.08.2017).
    3 For detailed information please see: http://www.erdem-erdem.av.tr/publications/law-post/personal-data-protection-under-turkish-and-european-legislation--ii/ (Accessed on 01.08.2017).
    4 Başalp, Nilgün, Kişisel Verilerin Korunması ve Saklanması, Ankara 2004.
    5 MANAV, Dr. A. Eda, İş İlişkisinde İşçinin Kişisel Verilerinin Korunması, Gazi Üniversitesi Hukuk Fakültesi Dergisi C. XIX, Y. 2015, Sa. 2 http://webftp.gazi.edu.tr/hukuk/dergi/19_2_3.pdf (Accessed on 01.08.2017).
    6 For detailed information please see: http://www.erdem-erdem.av.tr/publications/newsletter/the-eu-general-data-protection-regulation-and-its-territorial-scope/ (Accessed on 01.08.2017).
    ---------------