1. Introduction

The use of biometric technologies in the workplace has expanded significantly over the past decade. Employers increasingly rely on fingerprint scanners, facial recognition terminals, iris recognition systems, and similar technologies to monitor employee attendance, manage access control, and enhance workplace security. These systems are often promoted as efficient, reliable, and resistant to manipulation. At the same time, however, biometric technologies raise some of the most serious privacy and data protection concerns in modern employment relationships. Unlike passwords or identification cards, biometric characteristics are unique to an individual and generally cannot be changed if compromised. Consequently, the collection and processing of biometric data expose employees to heightened risks relating to privacy, identity theft, unauthorized surveillance, and misuse of personal information.

Recognizing these concerns, the Turkish Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu – KVKK) published Principle Decision No. 2026/921 on 2 June 2026 concerning the processing of biometric data for employee attendance tracking purposes. The decision represents one of the most significant developments in Turkish data protection law in recent years and is likely to affect thousands of employers operating in Türkiye. The Authority concluded that biometric attendance systems generally fail to satisfy the proportionality requirements established under Law No. 6698 on the Protection of Personal Data (KVKK). Importantly, the Authority further determined that employee consent alone will generally not provide a sufficient legal basis for the use of biometric attendance systems because of the inherent imbalance of power that exists within employment relationships. This development aligns Turkish practice more closely with emerging European privacy standards and signals a stricter regulatory approach toward workplace surveillance technologies.

2. What Are Biometric Data Under Turkish Law?

2.1 Definition of Biometric Data

Biometric data refers to personal information derived from specific technical processing relating to the physical, physiological, or behavioural characteristics of an individual that enables or confirms that person’s unique identification. Examples include fingerprint patterns, facial geometry, iris structures, retina characteristics, voiceprints, hand geometry, gait recognition, and certain behavioural identifiers. These characteristics distinguish biometric data from ordinary personal information because they are intrinsically linked to an individual’s identity.

Under Turkish data protection law, biometric data are classified as a special category of personal data requiring enhanced legal protection. Similar treatment exists under the European Union’s General Data Protection Regulation (GDPR), reflecting an international consensus regarding the sensitivity of biometric information. The Turkish Data Protection Authority emphasized in its Principle Decision that biometric identifiers possess a unique and largely irreversible nature. If such information is compromised, individuals generally cannot modify or replace their biometric characteristics in the same way that they could change a password or replace an identification card.

2.2 Examples of Biometric Data

Biometric technologies may utilize numerous physical and behavioural characteristics for identification purposes. Common examples include:

• Fingerprint recognition systems;
• Facial recognition technologies;
• Iris recognition systems;
• Retina scanning technologies;
• Voice recognition systems;
• Palm vein recognition systems;
• Hand geometry analysis;
• Behavioural biometrics based upon keyboard usage, typing patterns, or movement characteristics.

In workplace environments, fingerprint scanners and facial recognition systems have become the most commonly deployed biometric attendance tracking solutions.

2.3 Why Biometric Data Receive Special Protection

The rationale for enhanced legal protection is straightforward. Unlike conventional identifiers, biometric characteristics are permanent or extremely difficult to alter. Once compromised, an individual may face long-term consequences because the affected biometric trait generally cannot be replaced. The risks associated with biometric data include:

• Identity theft and impersonation;
• Unauthorized surveillance;
• Function creep and secondary uses;
• Security breaches affecting large populations;
• Long-term privacy violations;
• Discrimination and profiling risks.

For these reasons, regulators worldwide increasingly view biometric processing as requiring heightened scrutiny and strict legal justification.

3. Legal Framework Governing Biometric Data Processing in Türkiye

3.1 Law No. 6698 on the Protection of Personal Data

The primary legal framework governing biometric data in Türkiye is Law No. 6698 on the Protection of Personal Data (KVKK). Biometric information falls within the category of special categories of personal data, which are subject to stricter processing conditions than ordinary personal information.

Article 6 of the KVKK establishes the circumstances under which special categories of personal data may be processed. The provision reflects the legislature’s recognition that certain types of personal information pose elevated risks to individual rights and freedoms. Because biometric information enables unique identification and carries significant privacy implications, employers must satisfy enhanced legal requirements before engaging in any biometric processing activity.

3.2 General Principles of Data Processing

Even where a legal basis exists, all personal data processing activities must comply with the general principles established under Article 4 of the KVKK. These principles require that personal data be:

• Processed lawfully and fairly;
• Accurate and kept up to date where necessary;
• Processed for specific, explicit, and legitimate purposes;
• Relevant, limited, and proportionate to the purpose pursued;
• Retained only for as long as necessary.

The Principle Decision places particular emphasis upon the principle of proportionality. The Authority repeatedly stresses that organizations must choose the least intrusive method capable of achieving the legitimate objective pursued. This principle ultimately became the decisive factor underlying the Authority’s conclusions regarding biometric attendance systems.

3.3 Employer Obligations

Employers acting as data controllers bear substantial compliance responsibilities under Turkish law. These responsibilities include:

• Identifying a valid legal basis for processing;
• Implementing appropriate technical and organizational safeguards;
• Providing transparent privacy notices;
• Limiting access to sensitive data;
• Maintaining adequate security measures;
• Complying with retention and deletion requirements;
• Demonstrating accountability in the event of regulatory investigations.

Failure to satisfy these obligations may expose organizations to administrative fines, regulatory investigations, compensation claims, and reputational harm. Employers should therefore approach biometric processing activities with particular caution given the elevated compliance expectations applicable to special categories of personal data.

4. Why Employers Use Biometric Attendance Systems

4.1 Workforce Management Requirements

Modern organizations increasingly seek efficient methods of recording employee attendance and working hours. Traditional attendance registers, paper sign-in sheets, and manual supervision methods are often perceived as vulnerable to error, manipulation, or administrative inefficiency. Biometric attendance systems promise greater accuracy by linking attendance records directly to unique physical characteristics of employees. Employers frequently cite the prevention of “buddy punching” – the practice whereby one employee records attendance on behalf of another – as a significant justification for implementing biometric systems.

4.2 Security Considerations

Many organizations also utilize biometric technologies for workplace security purposes. Biometric systems may be integrated with access control mechanisms that restrict entry to sensitive facilities, data centres, research laboratories, manufacturing sites, or other secured areas. In such contexts, employers often argue that biometric identification provides stronger security assurances than conventional cards or passwords, which may be lost, shared, or stolen. Nevertheless, the existence of legitimate security objectives does not automatically justify biometric processing. Employers must still demonstrate compliance with necessity and proportionality requirements.

4.3 Digital Transformation and Technological Trends

The increasing digitalization of workplaces has accelerated adoption of biometric technologies throughout both public and private sectors. Cloud-based workforce management platforms, integrated access control systems, and artificial intelligence-powered identification tools have contributed to the growing popularity of biometric solutions. However, technological capability alone does not determine legal permissibility.

The Principle Decision makes clear that the availability of a technology does not mean that its deployment complies with data protection law. Rather, employers must continuously evaluate whether the privacy intrusion associated with biometric processing is genuinely necessary to achieve their operational objectives. The Authority’s decision therefore represents a significant reminder that innovation must remain compatible with fundamental privacy rights and data protection principles.

5. The KVKK Principle Decision No. 2026/921

5.1 Background of the Decision

On 2 June 2026, the Turkish Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu – KVKK) published Principle Decision No. 2026/921 concerning the processing of biometric data for employee attendance tracking purposes. The Authority noted that one of the most common issues arising from complaints and reports submitted to the institution concerns the growing use of biometric identification technologies by employers seeking to digitalize attendance monitoring systems and strengthen workplace security.

Fingerprint scanners, facial recognition terminals, iris recognition systems, retina scanners, and similar technologies have become increasingly common in both public and private sector workplaces. Employers frequently justify their deployment on the basis of efficiency, accuracy, security, and fraud prevention.  The Authority acknowledged that biometric systems possess certain operational advantages. They are generally quick, accurate, difficult to manipulate, and capable of providing reliable identity verification. Nevertheless, the Authority emphasized that these benefits cannot be evaluated in isolation from the fundamental rights and freedoms of employees. The decision therefore addresses a question that has long generated uncertainty among employers, compliance professionals, and human resources departments:

Can employers lawfully process biometric data solely for the purpose of monitoring employee attendance? The Authority’s answer was clear and unambiguous. In most circumstances, the processing of biometric data for attendance tracking purposes will not satisfy the requirements of Turkish data protection law.

5.2 The Authority’s Analysis

The Authority began by examining the legal framework governing working time records in Türkiye. Turkish labour legislation unquestionably requires employers to monitor and document working hours. Various provisions of labour law impose obligations relating to the recording of attendance, overtime, shift schedules, and rest periods. However, the Authority highlighted a critical distinction. Although Turkish law requires attendance records to be maintained, no legislation expressly requires those records to be created through biometric identification technologies. 

In other words, there is a legal obligation to record attendance, but there is no legal obligation to collect fingerprints, facial templates, iris scans, or other biometric identifiers in order to fulfil that obligation. This distinction became central to the Authority’s reasoning. The Authority concluded that because Turkish legislation does not specifically mandate biometric attendance systems, employers cannot generally rely upon the legal basis of “explicitly provided by law” for biometric processing activities.

5.3 Reliance on Constitutional Court and Council of State Jurisprudence

The Principle Decision did not emerge in a legal vacuum. Rather, it builds upon a growing body of judicial decisions emphasizing the need for strict scrutiny when biometric technologies are used in employment contexts. 

The Authority specifically referred to decisions of both the Constitutional Court and the Council of State concerning biometric attendance systems. Particular attention was given to a Constitutional Court judgment involving a public employee who was required to participate in a fingerprint-based attendance system. The Constitutional Court found that the collection and processing of fingerprint data interfered with the individual’s right to protection of personal data and right to respect for private life. The Court further concluded that the interference lacked a sufficiently clear legal basis because no legislation specifically required attendance monitoring through fingerprint technologies.

The Principle Decision also referenced significant Council of State jurisprudence emphasizing the principles of necessity, proportionality, and data minimization. The Council of State has consistently questioned whether employers can justify collecting highly sensitive biometric data when less intrusive methods remain available.

By incorporating these judicial authorities, the KVKK reinforced the emerging legal consensus that attendance monitoring alone rarely provides sufficient justification for the processing of biometric data.

5.4 The Authority’s Key Conclusions

The Authority ultimately reached three fundamental conclusions. First, attendance monitoring obligations under Turkish labour law do not automatically authorize the collection and processing of biometric data. Second, employee consent alone does not generally provide a sufficiently reliable legal basis because of the structural imbalance that exists between employers and employees. Third, biometric attendance systems typically fail the proportionality test because less intrusive alternatives are readily available. These findings collectively represent one of the strongest regulatory statements issued to date regarding workplace biometric surveillance in Türkiye.

6. Why Employee Consent Does Not Solve the Problem

6.1 The Traditional Employer Approach

Many employers have historically attempted to justify biometric attendance systems by obtaining written consent from employees. Under this approach, employees are asked to sign consent forms authorizing the collection and processing of fingerprints, facial recognition data, or other biometric identifiers. Employers often assume that once consent has been obtained, the processing activity becomes legally compliant. The Principle Decision directly challenges this assumption. The Authority concluded that obtaining a signed consent form does not automatically cure the legal deficiencies associated with biometric attendance systems.

6.2 The Requirement of Freely Given Consent

Under Turkish data protection law, valid consent must be:

• Specific;
• Informed;
• Freely given.

The requirement that consent be freely given is particularly important in employment relationships. The Authority emphasized that genuine consent requires the existence of a real choice. Individuals must be able to refuse consent without suffering adverse consequences. In theory, this principle appears straightforward. In practice, however, employment relationships present unique challenges.

6.3 Structural Power Imbalance in Employment Relationships

The Authority devoted considerable attention to the unequal nature of employer-employee relationships. Employment relationships inherently involve economic dependence, organizational authority, and hierarchical decision-making structures. Employees rely upon employers for their livelihood and frequently perceive pressure – whether explicit or implicit – to comply with workplace requirements. Under such circumstances, employees may reasonably fear that refusing consent could negatively affect:

• Recruitment opportunities;
• Career advancement;
• Workplace relationships;
• Performance evaluations;
• Continued employment.

Even where no direct pressure exists, the mere existence of the employment relationship may undermine the voluntariness of consent. The Authority therefore concluded that significant doubts arise as to whether employee consent in these situations genuinely reflects free will. This reasoning mirrors the position adopted by European data protection regulators and the European Data Protection Board, which have repeatedly expressed skepticism regarding reliance upon consent in employment contexts.

6.4 The Problem of Withdrawal of Consent

The Authority identified an additional difficulty. Under data protection law, consent must remain revocable. Individuals must be able to withdraw their consent at any time. However, biometric attendance systems typically depend upon continuous participation by employees. If employees begin withdrawing consent after a system has been implemented, the functionality and operational consistency of the system may be compromised. The Authority observed that this practical reality further undermines reliance upon consent as the sole legal basis for biometric attendance processing.

The result is a regulatory paradox. If employees are genuinely free to withdraw consent, the system may become operationally unworkable. If withdrawal is discouraged or restricted, consent may no longer be freely given. Either outcome raises serious compliance concerns.

6.5 International Perspective

The KVKK’s reasoning aligns closely with developments under the GDPR. European regulators have consistently warned that employers should exercise extreme caution when relying upon employee consent as a legal basis for processing personal data. Many European supervisory authorities have concluded that consent is generally inappropriate where a significant imbalance of power exists between the parties. The Turkish Authority’s approach therefore reflects a broader international trend toward protecting employees from excessive workplace monitoring and surveillance.

7. The Principle of Proportionality: The Core of the Decision

7.1 Why Proportionality Matters

Although questions concerning consent received substantial attention, the true foundation of the Principle Decision lies elsewhere. The Authority repeatedly emphasized that the decisive issue is proportionality. Even if valid consent could somehow be obtained, biometric attendance systems would still need to satisfy the proportionality requirements established under Article 4 of the KVKK. This is perhaps the most important practical lesson arising from the decision. The Authority effectively states that consent alone cannot justify a processing activity that is disproportionate in the first place.

7.2 Understanding the Proportionality Test

Proportionality requires that personal data processing activities remain appropriate, necessary, and balanced in relation to their intended purpose. The concept is generally analyzed through three related questions:

• Is the measure suitable for achieving the stated objective?
• Is the measure necessary, or are less intrusive alternatives available?
• Does the benefit obtained outweigh the interference with individual rights?

Only where all three questions can be answered positively will the proportionality requirement generally be satisfied.

7.3 Suitability

The Authority accepted that biometric attendance systems are capable of recording attendance. In other words, the systems may be suitable for achieving the employer’s objective. However, suitability alone is not sufficient. Many intrusive technologies may be effective at achieving particular objectives while nevertheless violating fundamental rights. Consequently, the analysis must proceed to the necessity stage.

7.4 Necessity

The necessity requirement proved fatal for biometric attendance systems. The Authority observed that numerous alternative methods exist for recording attendance without requiring the collection of highly sensitive biometric data. Examples include:

• PIN-based systems;
• Password-protected employee cards;
• RFID cards;
• NFC identification systems;
• Traditional signature registers;
• Manual attendance controls.

Because these alternatives remain widely available and capable of achieving the same objective, the Authority concluded that biometric processing generally cannot be regarded as necessary.

7.5 Balancing Interests

The final stage involves balancing employer interests against employee privacy rights. The Authority recognized that employers have legitimate interests in monitoring attendance and preventing fraud. However, these interests must be weighed against the significant privacy risks associated with biometric data processing. Biometric identifiers are permanent, sensitive, and highly personal. Unauthorized disclosure or misuse may expose individuals to risks that cannot easily be remedied. The Authority concluded that the privacy intrusion associated with collecting fingerprints, facial templates, or similar identifiers is generally excessive when compared with the relatively modest administrative benefits associated with attendance monitoring.

7.6 The Most Important Practical Message

The most significant practical consequence of the Principle Decision is that employers must move beyond the question of consent and focus instead upon necessity and proportionality. The Authority’s position can be summarized as follows: If attendance can be monitored effectively through less intrusive means, biometric data should not be processed. This conclusion is likely to become the central benchmark for future regulatory investigations involving workplace biometric technologies. Organizations currently relying upon fingerprint scanners, facial recognition systems, or similar attendance solutions should therefore carefully reassess whether such technologies remain defensible under Turkish data protection law.

8. Alternative Attendance Tracking Methods Approved by the Authority

8.1 A Shift Toward Less Intrusive Solutions

One of the most practical aspects of Principle Decision No. 2026/921 is that the Turkish Data Protection Authority did not merely criticize biometric attendance systems. The Authority also identified alternative methods that employers may use to achieve the same operational objectives without processing highly sensitive biometric data. This aspect of the decision is particularly important because it demonstrates that the Authority is not challenging the legitimacy of attendance monitoring itself. Rather, the Authority is questioning whether biometric technologies are necessary to accomplish that purpose. The distinction is significant. Employers remain legally obligated to monitor attendance, working hours, overtime, and compliance with labour law requirements. What has changed is the Authority’s assessment of the methods used to achieve those objectives.

8.2 PIN-Based Attendance Systems

One of the alternatives expressly mentioned by the Authority is the use of PIN-based attendance systems. Under such systems, employees enter a unique personal identification number when arriving at or leaving the workplace. PIN systems offer several advantages:

• They do not require the processing of special categories of personal data.
• They are relatively inexpensive to implement.
• They can be integrated into existing attendance software.
• They provide adequate documentation for labour law compliance purposes.

Although PIN systems may be vulnerable to sharing or misuse, the Authority appears to regard this risk as insufficient to justify the collection of highly sensitive biometric information.

8.3 Password-Protected Employee Cards

The Authority also referenced password-protected employee card systems as a viable alternative. Under this model, employees are issued identification cards that must be used together with a password or authentication code. This approach combines physical identification with an additional security layer while avoiding the need to collect biometric data. For many organizations, particularly office-based employers, such systems may provide an appropriate balance between operational efficiency and privacy protection.

8.4 RFID and NFC Technologies

The decision specifically mentions RFID (Radio Frequency Identification) and NFC (Near Field Communication) technologies as acceptable alternatives. These technologies are already widely used in:

• Corporate office buildings;
• Manufacturing facilities;
• Universities;
• Hospitals;
• Public institutions;
• Research centres.

RFID and NFC systems allow employers to record attendance and regulate access without collecting immutable biological characteristics. From a data protection perspective, the distinction is crucial. Lost cards can be cancelled and replaced. Compromised biometric identifiers generally cannot. This distinction lies at the heart of the Authority’s proportionality analysis.

8.5 Traditional Attendance Registers

The Authority also refers to traditional attendance methods such as:

• Signature sheets;
• Attendance registers;
• Paper-based records;
• Manual verification systems.

Although such methods may appear less technologically advanced, the Authority’s decision demonstrates that legal compliance does not necessarily require the adoption of the most sophisticated technology available. Data protection law often favours solutions that minimize privacy risks, even where more technologically advanced alternatives exist.

8.6 Manual Attendance Verification

In some circumstances, attendance may also be verified through direct supervision. The Authority specifically mentions manual attendance controls conducted under supervisory oversight. While such approaches may be impractical for large organizations, they further reinforce the Authority’s position that employers possess numerous alternatives that do not require the processing of biometric data.

8.7 The Compliance Message for Employers

The practical message emerging from the Principle Decision is straightforward. Before implementing any biometric attendance system, employers must be able to demonstrate why less intrusive alternatives are insufficient. In most ordinary workplace environments, the existence of PIN systems, RFID cards, NFC technologies, or traditional attendance methods will make it difficult to establish that biometric processing is genuinely necessary. Consequently, organizations should conduct a documented assessment of available alternatives before considering any biometric solution.

9. Relevant Turkish Court Decisions

9.1 Constitutional Court Jurisprudence

The Principle Decision builds upon an important body of constitutional jurisprudence concerning the protection of personal data and privacy rights. One of the most influential decisions involved a public employee who was required to participate in a fingerprint-based attendance system implemented by a public authority. The employee challenged the practice before the Constitutional Court, arguing that the collection and storage of fingerprint data interfered with the constitutional right to protection of personal data and respect for private life.

The Constitutional Court agreed. The Court emphasized that biometric data constitute particularly sensitive information and that their processing requires a sufficiently clear legal basis. The Court further observed that while attendance monitoring may be a legitimate objective, the collection of fingerprint data represents a significant interference with individual privacy rights. Most importantly, the Court concluded that no clear legislative provision required attendance monitoring through biometric systems. The absence of such a legal basis contributed significantly to the finding of a constitutional violation.

9.2 Protection of Personal Data as a Constitutional Right

The Constitutional Court’s analysis reflects the broader constitutional framework governing personal data protection in Türkiye. Article 20 of the Constitution recognizes the right of individuals to request the protection of their personal data. This right includes guarantees concerning:

• Information about data processing activities;
• Access to personal data;
• Correction of inaccurate information;
• Deletion of personal data under certain circumstances;
• Protection against unlawful processing.

Because biometric information directly concerns individual identity, courts have generally applied particularly rigorous scrutiny when assessing the legality of biometric processing activities.

9.3 Council of State Jurisprudence

The Principle Decision also references important judgments of the Council of State (Danıştay). The Council of State has consistently emphasized that personal data processing activities must satisfy the principles of:

• Necessity;
• Proportionality;
• Data minimization;
• Purpose limitation.

In several cases involving workplace monitoring and biometric technologies, the Council of State questioned whether employers had adequately demonstrated the necessity of collecting highly sensitive personal information. The Court repeatedly highlighted the importance of considering alternative methods capable of achieving the same objective with less interference in individual privacy.

9.4 Emerging Judicial Trend

Taken together, the decisions of the Constitutional Court, the Council of State, and the Turkish Data Protection Authority reveal a clear trend. Turkish institutions are moving toward increasingly strict scrutiny of biometric technologies in employment settings. The legal question is no longer whether biometric systems are technologically effective. Instead, the central question has become whether the collection of highly sensitive biometric information is genuinely necessary when less intrusive alternatives remain available. For most ordinary attendance monitoring purposes, Turkish regulators and courts increasingly appear inclined to answer this question in the negative.

10. Comparison with the GDPR and European Practice

10.1 The GDPR Approach to Biometric Data

The Turkish Authority’s decision closely resembles developments under the European Union’s General Data Protection Regulation (GDPR). Article 9 of the GDPR treats biometric data used for identification purposes as a special category of personal data subject to enhanced protection. As a general rule, processing such data is prohibited unless one of the specific legal exceptions applies. This approach reflects the recognition that biometric identifiers present elevated risks to individual rights and freedoms.

10.2 European Data Protection Board Guidance

The European Data Protection Board (EDPB) has repeatedly expressed concerns regarding the use of biometric technologies in employment relationships. The EDPB has emphasized that employers should exercise extreme caution when relying upon employee consent because of the imbalance of power that typically exists between employers and employees. This position closely mirrors the reasoning adopted by the Turkish Data Protection Authority in Principle Decision No. 2026/921.

10.3 France: CNIL

The French Data Protection Authority (CNIL) has historically adopted a restrictive approach toward biometric attendance systems. CNIL decisions frequently emphasize that biometric solutions should be used only where no less intrusive alternative exists. Employers are generally expected to justify why conventional authentication methods are inadequate before implementing biometric technologies.

10.4 Germany

German supervisory authorities have likewise subjected workplace biometric systems to rigorous scrutiny. German regulators often focus on whether employers can demonstrate a compelling necessity for biometric processing. Attendance monitoring alone has rarely been regarded as sufficient justification.

10.5 Italy and Spain

Italian and Spanish regulators have reached similar conclusions in numerous enforcement actions and guidance documents. Both jurisdictions generally require employers to demonstrate:

• Necessity;
• Proportionality;
• Absence of reasonable alternatives;
• Adequate safeguards.

These requirements closely resemble the standards articulated by the Turkish Authority.

10.6 Growing Regulatory Convergence

The Principle Decision illustrates the increasing convergence between Turkish and European privacy standards. Organizations operating internationally should therefore recognize that restrictive treatment of workplace biometric systems is no longer unique to a particular jurisdiction. Rather, it reflects a broader regulatory trend favouring data minimization and privacy-preserving technologies.

10. Risks for Employers Using Fingerprint and Facial Recognition Systems

10.1 Regulatory Investigations

Following the publication of Principle Decision No. 2026/921, organizations using biometric attendance systems face increased regulatory scrutiny.

Employees, trade unions, former employees, competitors, and whistleblowers may submit complaints to the Turkish Data Protection Authority.

Such complaints may trigger investigations into the legality of biometric processing activities.

10.2 Administrative Fines

Employers found to be processing biometric data unlawfully may face administrative sanctions under Law No. 6698.

The Authority has broad enforcement powers, including the ability to impose administrative fines and require corrective measures.

In serious cases, organizations may be ordered to suspend unlawful processing activities entirely.

10.3 Orders to Delete Biometric Data

One of the most significant practical consequences of a regulatory investigation may be an order requiring the deletion or destruction of biometric data.

Organizations that have collected biometric information over many years may face substantial operational challenges if required to dismantle existing attendance systems and migrate to alternative technologies.

10.4 Civil Liability

Employees may also pursue compensation claims where unlawful biometric processing results in damage.

Potential claims may include:

• Material damages;
• Moral damages;
• Violations of privacy rights;
• Unlawful processing of personal data.

Although the outcome of such claims will depend upon the circumstances of each case, employers should not underestimate the litigation risks associated with biometric monitoring practices.

10.5 Employment Law Consequences

Workplace disputes may also arise where employees object to biometric processing or refuse to participate in attendance systems.

Employers should carefully evaluate the employment law implications of disciplinary measures connected to biometric attendance requirements.

The interaction between labour law and data protection law is likely to become an increasingly important area of legal risk following the publication of the Principle Decision.

10.6 Reputational Risks

Beyond legal liability, organizations should also consider reputational consequences.

Privacy and workplace surveillance issues increasingly attract public attention.

Regulatory investigations involving biometric monitoring may generate adverse publicity, affect employee relations, and undermine stakeholder confidence.

For multinational organizations in particular, privacy-related reputational risks may extend beyond Türkiye and affect operations in multiple jurisdictions.

10.7 A New Compliance Environment

The publication of Principle Decision No. 2026/921 marks a significant shift in the Turkish regulatory landscape.

Employers can no longer assume that biometric attendance systems are legally defensible simply because employees have signed consent forms.

Instead, organizations must now demonstrate that biometric processing satisfies the strict requirements of necessity, proportionality, and data minimization.

For many employers, this will require a comprehensive reassessment of existing attendance monitoring practices and a transition toward less intrusive alternatives.

11. Compliance Checklist for Employers

The publication of Principle Decision No. 2026/921 should prompt organizations operating in Türkiye to conduct an immediate review of any workplace systems involving biometric data processing.

Employers should consider the following compliance questions:

11.1 Inventory Existing Biometric Systems

Organizations should first identify whether they currently process any biometric data relating to employees.

This review should cover:

• Fingerprint attendance systems;
• Facial recognition technologies;
• Iris or retina scanning systems;
• Palm recognition systems;
• Biometric access control mechanisms;
• Integrated attendance and security platforms.

Many organizations discover that biometric data are processed by third-party service providers or integrated software systems without a full appreciation of the associated compliance obligations.

11.2 Review the Legal Basis for Processing

Employers should carefully evaluate the legal basis currently relied upon for biometric processing activities.

Questions to consider include:

• Is processing based solely upon employee consent?
• Is there a specific legal obligation requiring biometric processing?
• Can the organization demonstrate necessity?
• Have proportionality assessments been documented?

Organizations relying exclusively upon employee consent should pay particular attention to the Authority’s concerns regarding the validity of consent in employment relationships.

11.3 Assess Available Alternatives

The Principle Decision places considerable emphasis on the existence of less intrusive alternatives.

Accordingly, employers should document:

• Alternative attendance systems considered;
• Reasons for selecting biometric technologies;
• Whether less intrusive options could achieve the same objective;
• Comparative privacy impact assessments.

The absence of such documentation may significantly weaken an organization’s position during a regulatory investigation.

11.4 Review Data Retention Practices

Organizations should examine:

• How long biometric data are retained;
• Whether retention periods remain necessary;
• Whether deletion procedures are functioning effectively;
• Whether former employee records have been appropriately removed.

Data minimization principles require that biometric information be retained only for as long as necessary to achieve legitimate purposes.

11.5 Evaluate Security Measures

Because biometric data constitute a special category of personal data, enhanced security measures should be implemented.

Employers should review:

• Encryption standards;
• Access control mechanisms;
• Audit logging procedures;
• Third-party service provider arrangements;
• Incident response plans.

Security deficiencies may significantly increase regulatory exposure in the event of a data breach.

11.6 Conduct a Comprehensive Compliance Audit

Organizations utilizing biometric technologies should strongly consider conducting a comprehensive privacy and data protection audit.

Such audits can identify potential legal vulnerabilities before they become the subject of regulatory investigations, employee complaints, or litigation.

12. Practical Recommendations for Employers

12.1 Immediate Actions

Employers currently using fingerprint or facial recognition attendance systems should not wait for a regulatory investigation before assessing compliance.

Immediate actions may include:

• Identifying all biometric processing activities;
• Reviewing privacy notices;
• Examining consent mechanisms;
• Assessing alternative attendance solutions;
• Consulting legal counsel regarding risk exposure.

The earlier compliance concerns are identified, the easier they are generally to address.

12.2 Medium-Term Compliance Measures

Organizations may wish to develop a structured transition strategy where significant legal risks are identified.

Potential measures include:

• Migrating from biometric systems to RFID or NFC solutions;
• Implementing PIN-based attendance systems;
• Updating internal data protection policies;
• Revising employee information notices;
• Enhancing governance procedures.

Employers should ensure that any transition process is documented and supported by appropriate legal analysis.

12.3 Data Protection Impact Assessments

Although not expressly required in every situation, privacy impact assessments represent an increasingly important compliance tool.

Such assessments may assist organizations in demonstrating:

• Consideration of alternative solutions;
• Evaluation of privacy risks;
• Proportionality analysis;
• Accountability efforts.

In the event of a regulatory investigation, well-documented assessments may provide valuable evidence of good-faith compliance efforts.

12.4 Special Considerations for Multinational Companies

Multinational organizations operating in Türkiye should consider the interaction between Turkish law and foreign regulatory requirements.

Many organizations already face compliance obligations under:

• The GDPR;
• UK data protection legislation;
• United States state privacy laws;
• Sector-specific regulatory frameworks.

The increasing convergence between Turkish and European privacy standards means that multinational compliance strategies should be developed holistically rather than on a jurisdiction-by-jurisdiction basis.

12.5 Board-Level Governance

Biometric processing should no longer be viewed solely as an information technology issue.

It should be regarded as a strategic legal, compliance, and governance matter.

Senior management should therefore ensure that decisions regarding workplace surveillance technologies receive appropriate oversight from legal, compliance, human resources, and information security functions.

13. How Bıçak Law Firm Assists Employers with KVKK Compliance

The legal landscape governing workplace biometric technologies is evolving rapidly. Organizations operating in Türkiye increasingly require sophisticated legal guidance to navigate the intersection of employment law, privacy law, cybersecurity obligations, and regulatory enforcement risks.

Bıçak Law Firm advises domestic and international companies on all aspects of Turkish data protection law and workplace privacy compliance.

Our services include:

Workplace Privacy Audits

We conduct comprehensive reviews of employee monitoring practices, attendance systems, surveillance technologies, access control mechanisms, and biometric processing activities.

KVKK Compliance Projects

We assist organizations in developing and implementing comprehensive compliance frameworks aligned with Turkish personal data protection requirements.

Data Protection Impact Assessments

We provide legal analysis and risk assessments relating to biometric technologies, workplace monitoring tools, and emerging technologies involving sensitive personal data.

Regulatory Investigations

We represent clients before the Turkish Personal Data Protection Authority in investigations, inspections, complaints, and enforcement proceedings.

Employment and Privacy Law Integration

We advise employers on the interaction between labour law obligations and data protection requirements, helping organizations implement legally sustainable workplace monitoring policies.

International Compliance Projects

We support multinational companies seeking to align Turkish operations with GDPR requirements and broader global privacy frameworks.

Through a combination of regulatory, employment, technology, and dispute resolution expertise, Bıçak Law Firm helps organizations minimize legal risks while maintaining effective operational controls.

Frequently Asked Questions (FAQ)

Can employers still use fingerprint attendance systems in Türkiye?

Following Principle Decision No. 2026/921, employers face significant legal challenges in justifying fingerprint attendance systems. The Turkish Data Protection Authority has indicated that such systems will generally fail the proportionality test where less intrusive alternatives exist.

Is employee consent sufficient to legalize biometric attendance systems?

Generally no. The Authority expressly emphasized that the imbalance of power inherent in employment relationships creates serious doubts regarding whether employee consent can truly be regarded as freely given.

Does Turkish labour law require biometric attendance systems?

No. Turkish labour legislation requires employers to monitor and document working hours, but it does not require attendance monitoring to be conducted through biometric technologies.

Which alternatives are recommended by the Authority?

The Authority specifically refers to alternatives such as:

• PIN-based systems;
• Password-protected employee cards;
• RFID cards;
• NFC identification technologies;
• Traditional attendance registers;
• Manual attendance verification methods.

Are facial recognition systems treated differently from fingerprint systems?

No. Both fingerprint and facial recognition systems involve biometric data processing and are therefore subject to similar legal concerns regarding necessity, proportionality, and lawful processing.

Can employers face administrative fines?

Yes. Organizations engaging in unlawful biometric processing activities may be subject to administrative sanctions and other enforcement measures under Law No. 6698.

What should employers do if they currently use biometric attendance systems?

Organizations should promptly review their systems, assess available alternatives, evaluate legal risks, and seek professional legal advice regarding compliance obligations.

Does the decision affect multinational companies operating in Türkiye?

Yes. Any organization processing employee biometric data within Türkiye should evaluate the implications of the Principle Decision, regardless of whether the organization is domestic or foreign-owned.

Conclusion

Principle Decision No. 2026/921 marks a significant turning point in the regulation of workplace biometric technologies in Türkiye. The Turkish Data Protection Authority has made it clear that the mere existence of employee consent does not automatically legitimize the processing of highly sensitive biometric information. Instead, organizations must demonstrate that such processing is genuinely necessary, proportionate, and consistent with the fundamental principles of data protection law.

The decision also reflects a broader international trend toward stricter regulation of workplace surveillance technologies and greater protection of employee privacy rights. Employers that continue to rely on fingerprint scanners, facial recognition systems, or similar technologies without carefully assessing legal risks may face increasing regulatory scrutiny in the years ahead.

Organizations operating in Türkiye should therefore view this development not merely as a compliance challenge but as an opportunity to modernize privacy governance frameworks, strengthen employee trust, and reduce regulatory exposure. Proactive compliance reviews, documented proportionality assessments, and the adoption of less intrusive attendance monitoring solutions will be increasingly important components of effective corporate governance.

Domestic and international employers alike should carefully evaluate their existing attendance monitoring practices in light of the Authority’s new guidance. Early legal review and strategic planning can significantly reduce the risk of future investigations, enforcement actions, employee complaints, and reputational harm. Bıçak Law Firm regularly advises organizations on Turkish data protection law, workplace privacy compliance, employee monitoring practices, and regulatory investigations, helping clients navigate this evolving legal landscape with confidence and clarity.