The Constitutional Court of Turkey’s ruling on March 10, 2022, on the application numbered 2018/11988 regarding violation of the right to demand the protection of personal data within the scope of respect to the privacy of private life (“Ruling”) has been recently published in the Official Gazette. Pursuant to the Ruling, the Constitutional Court held that the right to demand the protection of personal data safeguarded by Article 20 of the Constitution has been violated due to the processing of special categories of personal data by the administration without a legal basis.
According to the Ruling, the applicant was employed as a public officer by the Söke District Municipality in Aydın (“Municipality”). During such period, the Municipality started fingerprint tracking in 2016. With the petition dated 15/04/2016, the applicant objected to the registration of the fingerprint and the tracking of the working hours with the fingerprint tracking system and requested the removal of this application.
After the Municipality rejected the request to end fingerprint tracking, the applicant filed a lawsuit for annulment of the administrative act with the Aydın 1st Administrative Court.
The administrative court ruled for the annulment of fingerprint tracking. However, the Municipality appealed the first instance ruling. The appeal was accepted by the 2nd Administrative Trial Chamber of the İzmir Regional Court of Justice, which concluded that the practice was in compliance with public interest and service standards and that taking employees' fingerprints to track their working hours did not infringe their right to privacy. The applicant then filed a personal application with the Constitutional Court (“Court”).
In the Ruling, it has been taken into account that the personal data under the Article 5 of the Law No. 6698 on the Protection of Personal Data (“KVKK”) which sets out conditions for personal data processing, cannot be processed without the explicit consent of the data subject, or that it can be processed without the explicit consent of the data subject under if regulated conditions are met.
Citing Article 6 of KVKK, the Court considered that because of the sensitive nature of biometric data, it is subject to stricter requirements. The Court has also stated that personal data can only be processed "only in cases stipulated by law or with the explicit consent of the person" according to Article 20 of the Constitution.
In the Ruling, a decision of the 25th Council of State Administrative Litigation Chambers was also emphasized. In this decision, it is stated that the principles and procedures regarding data protection must be regulated by law to systematically record personal data and that it is natural that the technology developed by the administrations in this framework has started to be used in the public sector because it facilitates the effective and efficient execution of public services, but that personal data is recorded by using technology. It has been mentioned that the application of fingerprint scanning, which is a form of obtaining personal data from the data subject, is within the scope of the principle of privacy, however the fact that there are not legal basis framing the boundaries of said application and that there are no safeguards preventing further processing of gathered personal data for other purposes results in application to be unlawful.
Accordingly, in the Personal Data Protection Board Decisions referred to in the Ruling, it was concluded that the establishment of a fingerprint scanning system for working hour control purposes within the data controller is contrary to the principle of proportionality.
In its assessment, the Court recalled the factors specified by the European Court of Human Rights (“ECHR”) in its ruling on the Case of Marper/United Kingdom. In said ruling, fingerprints were defined as personal data, and it was emphasized that the protection of personal data was of great importance for the protection of the right to respect for private life. In this context, to prevent the use of personal data from violating the guarantees, it is necessary to make arrangements in domestic law to provide adequate guarantees. The ECHR has also stated that domestic regulations should ensure that personal data is appropriate for the purposes for which it is stored and should not be excessive and that it is kept in a way that allows the data to be kept longer than required for storage.
The Ruling concluded that, in the case at hand, the Municipality's use of the fingerprint tracking system for tracking the applicant's work hours by recording personal data constitutes an interference with the right to request personal data protection within the scope of the right to respect for private life, which is guaranteed in the third paragraph of Article 20 of the Constitution.
Considering Article 20 of the Constitution and the KVKK's provisions, it could be said that biometric data within the scope of the special categories of personal data can be processed without obtaining consent if the data subject expressly consents or under certain specified situations. However, pursuant to KVKK, the operational status of institutions or organizations is not included as a cause for data processing without consent.
In the Ruling subject to the application, it is understood that the Municipality controls whether the personnel comply with the working hours with the fingerprint tracking system, and in this context, the fingerprint of the applicant is recorded and stored. It is found to be clear that the applicant did not consent to the recording of his fingerprints by the Municipality for overtime tracking and therefore the processing of special categories of personal data regarding him. Thereupon, the Court assessed that special category of personal data may be processed if it is expressly stipulated by law.
In this context, it has been examined whether the Law No.657 on Civil Servants (“Law No.657”) and Municipal Law No. 5393 (“Law No.5393”) contain a clear provision for the application subject to the Ruling and found no basis for the Municipality to record the fingerprints of its employees and to track the work hours with the fingerprint tracking system.
Therefore, the Court determined that Law No.657 and Law No.5393 do not include clear provisions regarding the processing of personal data to control employees' attendance.
Within the framework of the explanations, it was decided that the intervention subject to the application did not meet the legality requirement because the applicant did not consent to the processing of special categories of personal data and that the processing and use of biometric data in the control of the Municipality's compliance with working hours were not separately and explicitly stipulated by the aforementioned laws.
Finally, for the reasons stated, it was determined that the applicant's right to seek personal data protection within the scope of the right to respect for private life granted by Article 20 of the Constitution had been violated.