New Principle Decision by the Personal Data Protection Board on the Processing of Biometric Data for Time and Attendance Tracking

The Personal Data Protection Board (“Board”) has clarified its approach regarding biometric recognition systems used in workplaces for tracking employee time and attendance in accordance with the Personal Data Protection Law (PDPL), through the “Principle Decision on the Processing of Biometric Data for the Purpose of Time and Attendance Tracking” (“Principle Decision”) published in the Official Gazette dated June 2, 2026, and numbered 33268.

In light of the widespread use of biometric systems such as fingerprint and facial recognition for tracking employee attendance in recent years, the Board emphasizes that these practices must be evaluated not only in terms of the legal bases for processing personal data but also within the framework of the principles of proportionality, necessity, and data minimization.

A Higher Standard of Protection for Biometric Data

The Principle Decision focuses on biometric systems utilized to track employees' entry and exit times. The Board reiterates that biometric data constitutes special categories of personal data; and due to their irreversible nature, they require a higher level of protection compared to many other personal data categories. In this context, it is stated that methods such as fingerprint, facial recognition, and iris/retina scanning must not be regarded as “routine” employee attendance control tools under data protection legislation, but rather as data processing activities subject to separate and strict scrutiny.

Assessment of Lawfulness – Narrow Interpretation within the Framework of Article 6 of the PDPL

In the Principle Decision, the Board adopts the approach that although the necessity of working hour tracking has a recognized scope of application in labor legislation, this does not automatically legitimize the processing of biometric data. The Board’s assessment concentrates specifically on the following points:

• The condition of “being explicitly provided by the laws”: Although there is a general framework in labor legislation or similar specific legislation regarding the tracking of time and attendance, it is concluded that these regulations do not expressly stipulate the processing of biometric data; thus, they fail to meet the standard of “legality” required for special categories of personal data.
• The condition of “being necessary for the fulfillment of legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance”: The Board adopts the stance that general references to the employment relationship do not solely constitute the narrow and specific legal basis required for processing special categories of personal data; and that provisions in labor legislation do not automatically “satisfy” the employment exception under the PDPL.
• Explicit Consent is Not Always a Secure Legal Basis: Another notable point in the Principle Decision is the assessment that explicit consent obtained from employees may not always serve as a sufficient legal basis on its own. The Board notes that due to the inherent nature of the employer-employee relationship, there is no strict equality between the parties; therefore, it cannot be assumed that the employees’ consent is based on free will in all circumstances. This approach indicates that relying on consent in processes closely tied to the “continuation of the employment relationship,” such as time and attendance tracking, may lead to validity disputes in practice.

The Board further supports its assessment of lawfulness with the decision of the General Assembly of the Constitutional Court dated 10/03/2022. In the aforementioned decision regarding individual application No. 2018/11988 concerning time and attendance tracking via a fingerprint recording system, it is stated that pursuant to Article 20 of the Constitution, personal data may only be processed in cases stipulated by law or with the explicit consent of the person; and that special categories of personal data are subject to stricter rules. The decision also notes that in the concrete case, there is no explicit regulation establishing the fundamental principles and procedures regarding the use of biometric data-based tracking systems under the Civil Servants Law No. 657 and the Municipality Law No. 5393; consequently, the intervention failed to satisfy the legality requirement, leading to a violation of the right to demand the protection of personal data.

Proportionality and Alternative Methods – Article 4 of the PDPL

The Board discusses not only the legal bases for processing data (Article 6 of the PDPL) but also the compliance of the processing activity with the general principles set forth in Article 4 of the PDPL, even if lawfulness is hypothetically assumed. Within this framework, one of the strongest messages of the Principle Decision is that utilizing biometric data fails to meet the proportionality criterion in scenarios where the objective of working hour tracking can be achieved through less intrusive methods.

By drawing attention to the fact that time and attendance tracking can be alternatively executed through:

• Password cards / personnel cards,
• PIN systems,
• RFID/NFC-based solutions,
• Signature charts / attendance sheets,

the Board highlights the assessment of necessity and data minimization.

Furthermore, the Board substantiates its proportionality assessment with judicial precedents. In the case subject to the decision of the 12th Chamber of the Council of State (Base No. 2021/3870, Decision No. 2023/2548), the annulment of the transaction regarding the use of palm vein readers for time and attendance tracking was requested; the assessment concluded that the principle of “being relevant, limited and proportionate to the purposes for which they are processed” under Article 4 of the PDPL and the processing regime for special categories of personal data must be evaluated collectively. Additionally, with the decision of the Plenary Session of the Administrative Law Divisions of the Council of State (Base No. 2024/225, Decision No. 2024/2625), this approach was reaffirmed based on the emphasis on “avoiding the processing of personal data that is not needed” within the framework of the proportionality principle.

Technical and Organizational Measures – Article 12 of the PDPL

The Principle Decision points out that since biometric data constitutes special categories of personal data, employers must handle their obligations regarding technical and organizational measures under Article 12 of the PDPL at a considerably higher standard. In this regard, adopting a risk-based approach is crucial not only in the debate of “legal basis” but also concerning aspects such as access to biometric data, retention periods, ensuring data security, authorization, and audit mechanisms.

What Does This Principle Decision Mean for Employers?

The Principle Decision serves as a clear signal that, beyond the penalty decisions previously issued by the Board against certain data controllers following investigations initiated upon complaints or reports, biometric systems operated for employee time and attendance tracking will henceforth be under much stricter scrutiny within the framework of data protection law. Accordingly, it is of utmost importance for employers to:

• Re-evaluate whether the processing of biometric data for tracking employee attendance constitutes an absolute legal and factual necessity/requirement,
• Investigate the viability of non-biometric and less intrusive alternative methods that would serve to achieve the specified tracking objective,
• Conduct a detailed audit of the internal data processing procedures and the legal bases upon which the existing tracking systems rely,
• Review and revise the technical and organizational security measures (Article 12 of the PDPL) required for the retention of special categories of personal data, in light of the Board’s decision dated 31/01/2018 and numbered 2018/10 on “Adequate Measures to be Taken by Data Controllers in the Processing of Special Categories of Personal Data” alongside this new Principle Decision.