KVKK and the Presumption of Innocence for Employers
On the new approach where employers and my clients are treated as suspicious from the very beginning
The Principle Decision No. 2026/921 of the Personal Data Protection Board, dated 29.04.2026, was published in the Official Gazette on 02.06.2026. The decision concerns the processing of biometric data for attendance tracking purposes. In other words, fingerprint scanners, facial recognition systems and similar technologies used in factories, construction sites, offices, warehouses and production facilities to monitor employee entry and exit records.
The summary of the decision is this: the Board adopted a restrictive interpretation regarding the use of biometric data for attendance tracking. It is no longer sufficient for an employer to simply say: “I obtained explicit consent.” The Board states that where lighter alternatives such as cards, passwords, PINs, QR codes or RFID systems exist, processing fingerprint or facial recognition data may no longer be considered proportionate. It also approaches the issue of whether explicit consent in the employee-employer relationship is truly based on free will with suspicion. There is an approach that does not fully trust the signatures and consent texts prepared by employers.
The decision was adopted unanimously, in line with the Board’s approach in recent years. Official link to the decision:
https://www.resmigazete.gov.tr/eskiler/2026/06/20260602-3.pdf
I would like to address what this decision means from a data protection law perspective, what kind of consequences it may create for employers, and where I believe it goes wrong. This is not merely a discussion about fingerprint scanners. The decision also reflects how the private sector and employers are perceived within Turkish data protection law and, more broadly, by the state itself.
In the text I read, the employer once again appears as the potential risk factor. Once again, the employer faces the suspicion of: “Even if consent was obtained from the employee, was it really obtained freely?”
Does the employer not benefit from a presumption of innocence?
My clients operate factories, manage construction sites, establish technology companies, manufacture products, export goods and pay salaries to hundreds of employees. They provide KVKK trainings, organize awareness programs for employees, prepare information notices, create data inventories and try to document HR processes properly. Yet despite all of this, the underlying tone of the Board’s decisions still seems to suggest the following: the employer is viewed as the stronger side with a higher potential for abuse, while the employee is primarily regarded as the party that must be protected. I do not agree with this approach.
Below, I will also share the publicly available biographies of the Board members published by the Authority itself. When such a decision directly affecting operational employer risks is being made, the professional background of the decision-makers — including experience in company ownership, employer-side management or private sector operations — should also be part of the discussion. Based on the biographies published on the Authority’s official website, none of the Board members appear to have direct experience in large-scale private sector management or company ownership. This is probably an observation noticed most strongly by employers and practitioners working closely with them.
For someone who has never managed factory shifts, dealt with construction site entry controls, experienced time-card abuse in a production facility with hundreds of employees, or had to submit attendance records to prosecutors as evidence, saying “alternative systems exist” may naturally sound easier.
The legal basis of the decision is Article 6 of the Turkish Personal Data Protection Law No. 6698.
The Board correctly classifies biometric data as “special category personal data” and therefore adopts a stricter approach.
The relevant provisions state:
“Biometric and genetic data are special category personal data.”
“Processing of special category personal data without explicit consent of the data subject is prohibited.”
“Special category personal data other than health and sexual life may only be processed without explicit consent in cases explicitly provided by law.”
In practice, the private sector has been relying on explicit consent for years precisely because there is no explicit statutory provision stating:
“Employers may use fingerprint systems.”
PDKS companies sold their systems on this basis. Lawyers drafted information notices and consent forms accordingly. Companies collected explicit consent accordingly. KVKK consultancy services were structured around this framework. It would have been useful if the Board had also explained how it internally evaluated and tolerated this practice for years.
The new approach now appears to be this:
“Even if explicit consent exists, consent within the employer-employee relationship may not truly be free.”
This is where my main concern begins. Because if this logic is expanded broadly, half of labor law could become debatable. It is said that the employee is the economically weaker party. That is true. However, if this reasoning is expanded further, many declarations of intent in labor law — including employment agreements, release agreements and similar documents — may also become open to challenge.
What answer will be given tomorrow if someone argues:
“Since the employee is under economic pressure, many signatures within the employment relationship are legally questionable as well.”
The employer and employee are not economically equal by nature. They are not equal anywhere in the world. So where exactly will the line begin, and where will it end?
The Board says:
“There are alternative methods.” Cards, PIN systems, QR codes and RFID systems.
But who decides whether those systems are truly sufficient and reliable?
A card-based system may work perfectly well for a technology company. Saying the same thing for a factory where hundreds of employees enter simultaneously during morning shifts is much easier in theory than in practice.
An employer who has already faced investigations regarding employees clocking in on behalf of others at a construction site entrance may understandably think differently.
The Board interprets the requirement of “explicit legal basis” very narrowly in relation to biometric data. But is the same standard applied equally in other sectors?
Take banking as an example. Mobile banking applications now use behavioral analysis models, facial recognition, voice recognition and fraud systems capable of authenticating individuals through behavioral patterns. Much of this area progresses through secondary legislation and technical regulations. Yet when banks do it, it is described as “security.” When employers do it, it suddenly becomes “disproportionate.” Is security not also important for my clients?
Are production facilities not sensitive? Construction sites? Data centers? Warehouses?
For years, employers were pressured to maintain extensive records during audits. Now the same employers are effectively being criticized for keeping “too many records.”
The issue of alternative systems is also addressed in the decision. The Board says there are cards, PINs, QR codes and RFID systems. Fine — these systems exist in theory. But what happens in practice?
Cards can be used by others. PINs can be shared. QR screenshots can circulate. Employees can pass through turnstiles together. Especially in shift-based systems, these abuses are not hypothetical; they are operational realities known in practice.
My clients are not using biometric systems because they enjoy complexity or excessive control. An employer may need to process 400 people entering a facility at 06:30 in the morning. Evening exits create separate problems. Overtime creates separate problems. Subcontractors create separate problems. Transportation logistics create separate problems. And on top of all that, employers are now effectively asked why they preferred more reliable systems.
There is also the cost issue. Companies did not install these systems yesterday. Hardware was purchased years ago, infrastructure was established, software integrated, HR systems connected and reporting systems built around them. Now HR departments may effectively face a completely new operational restructuring process because of this decision.
There are also domestic software companies, PDKS companies and hardware manufacturers. What happens to them? Systems sold for years as legally compliant are suddenly becoming legally risky. On what basis were these companies expected to make long-term investments?
There are employers in this country genuinely trying to comply with the rules and prevent data leaks. Employers are often simply trying to maintain operational order. The overwhelming majority of employers do not use biometric systems because of some “Sharingan” obsession; they use them because they need reliable records. They simply do not want employees clocking in for each other during morning shifts.
The Board is highly sensitive regarding biometric data. But will the same level of strictness also apply to the public sector’s own data processing activities?
For example, the fingerprints we provide during Schengen visa applications. Did we demand the same level of data security guarantees there? What about MOBESE surveillance systems, e-signature records, session logs and IP tracking systems? Are there not enormous data flows within public systems as well? Is every single operational detail explicitly regulated by statute? Is that even realistically possible?
So the real question becomes this:
Why is the “not explicitly written in the law” reflex applied most harshly against the private sector, while interpreted more flexibly for public institutions?
The biographies of the Board members are already publicly available on the Authority’s own website, and I am therefore sharing the official link below:
https://www.kvkk.gov.tr/Icerik/1016/kurul-uyeleri
The life experience of decision-makers naturally shapes their perspective. Someone who has never managed a 5,000-person shift system may easily say that card systems are sufficient. Someone who has never experienced the operational realities of a 07:00 shift entry may easily say that alternatives already exist. Someone who has never had to submit attendance records to prosecutors may view biometric systems as merely theoretical tools.
The Board, employers and employees should all inspire trust. Yet the feeling within the private sector is slightly different. Employers often feel as if any action they take is first approached with suspicion. I object to this perception. Because there are thousands of companies genuinely trying to establish lawful systems in good faith. Not all of them are potential abusers.
The Board treats biometric data with great sensitivity. Fine. That is not irrational. Fingerprints and facial geometry are indeed valuable forms of data. But where is the real concentration of data collection power today? At factory turnstiles? Or inside our smartphones?
Google knows what we search for. Smartphones know us remarkably well. Yet the regulatory reflex there appears much weaker. In reality, the systems shaping human behavior today are those platforms.
A factory attendance system does not predict your political views. It does not analyze your emotional state. It does not calculate why you stayed awake at 02:00 in the morning.
I believe the current reflex of the KVKK framework does not fully align with today’s technological and economic realities. The law was written with a 2016 mindset. We are now in the AI era, yet the strongest reaction still targets factory turnstiles.
Many employers already operate under constant anxiety. They continuously worry whether something may later become problematic. Yet despite this pressure, they continue trying to keep companies alive, pay salaries, pay taxes, export products and create employment.
The Board constantly emphasizes proportionality. But the real question is: who measures proportionality, and according to what criteria?
The needs of a factory are not the same as those of a software office. A construction site is not the same as a coworking space. A logistics center is not the same as an advertising agency. Yet the language of the decision tends to evaluate them all through the same lens.
Among my clients are technology companies, factories, construction firms, warehouses, logistics businesses and consultants. Each carries different risks. In one environment the risk is data leakage. In another it is physical security. In another it is shift abuse. In another it is subcontractor control.
The common point is this: they are all constantly audited. Audits are of course necessary, but good faith should also remain part of the equation. Otherwise, employer concerns and operational uncertainty may eventually become unsustainable.
If biometric systems are used, employers are criticized for excessive data processing. If cameras are installed, they are criticized for excessive monitoring. If cameras are not installed, they are criticized for insufficient security.
Maintaining this balance in real operational life is not nearly as simple as it sounds in theoretical discussions. These principle decisions do not sufficiently distinguish between dishonest practices and employers acting in good faith.
Employees themselves may also prefer biometric systems. Such systems protect honest employees too. Others cannot clock in on their behalf, overtime disputes decrease and attendance records become clearer. So this issue is not solely about employer interests either.
For this reason, I believe real operational life should be examined much more closely when drafting such decisions. Law is not only about theoretical risk management. It must also understand how real life actually functions.
Even the GDPR is increasingly criticized as outdated for the AI era, yet at least it openly regulates profiling, behavioral analysis, automated decision-making and risk scoring. Under the KVKK framework, profiling is barely discussed at all, even though modern data economies increasingly revolve around precisely these issues.
A smartphone is no longer merely a phone. It is effectively a portable observation device. Yet the harshest reaction still targets factory attendance systems. Fingerprints may appear more alarming because they are tangible, but systems capable of analyzing human behavior hold far greater power.
There is also the issue of legal certainty.
For years, companies were told: “Obtain explicit consent.” “Provide information notices.” “Prepare policies.”
Companies built their systems accordingly. Now they are effectively told that explicit consent may no longer be sufficient. Does this not create a serious legal predictability problem for companies?
What happens if an employee later withdraws consent? Will one factory have to operate card systems, fingerprint systems and QR systems simultaneously? The operational aspect of this is far from simple. HR departments now face an entirely new operational burden.
These decisions do not affect only large corporations. Factories in Anatolia are affected. Medium-sized construction companies are affected. Warehouses and local manufacturers are affected. Many businesses may now need to rebuild entire systems without any clear transition roadmap.
What about domestic technology companies? Türkiye has developed a serious PDKS industry. Software companies, hardware manufacturers and integration firms built systems that were considered legally compliant for years. Naturally, people now ask:
“What exactly are we supposed to rely on?”
If a system accepted as compliant today can tomorrow become a legally risky area in practice, how can long-term technology investments be planned with confidence?
I do not believe data privacy is unimportant. On the contrary, it will become one of the most critical legal fields of the future. But there is a thin line between protecting data privacy and constantly treating the private sector as a potential offender. I believe Turkish data protection law needs a stronger connection with operational realities.
It is also important to note the Authority’s public announcement following the Principle Decision: Even where valid explicit consent exists, proportionality will still be evaluated separately.
In other words, even where an employee freely consents, the Board may still conclude that the method itself is excessively intrusive. This represents a very significant shift for employers and operational systems.
Perhaps the most striking point is the Authority’s reference to methods such as paper charts, manual attendance systems and supervisor-based monitoring as alternatives. At a time when the world is discussing artificial intelligence and GDPR profiling debates, recommending paper attendance sheets as a solution can understandably feel to some employers like being advised to return to the era of carrier pigeons.
Despite all my criticisms, it should also be acknowledged that the Authority has been relatively consistent in this area. The 2025 Guideline on Issues to Be Considered in the Processing of Biometric Data already stated:
- If any alternative exists, biometric processing should not be considered necessary.
- Within the employer-employee relationship, consent cannot be regarded as freely given where employees are not effectively offered the possibility to refuse consent or where refusal may create disadvantages for them.
- Alternative systems should be provided for individuals unwilling or unable to use biometric solutions without creating additional cost or restrictions.
So this is not a sudden one-day shift. The Board did not abruptly change direction. It gradually strengthened and formalized an already existing approach. In some respects, the position is also aligned with the GDPR framework.
A few additional observations are also worth noting.
The fact that attendance tracking is a legitimate operational need does not automatically make every method legitimate. The Board’s approach has clearly moved beyond the simple question of whether explicit consent exists. The real issue now is whether biometric processing is truly necessary and whether the same objective could reasonably be achieved through less intrusive methods.
In other words, the Board is no longer focusing only on data security itself, but also on whether the processing activity is necessary from the very beginning.
Recording working hours is certainly an employer obligation. However, the Board no longer believes that employers should have unlimited discretion regarding the method used for such tracking. And this is precisely where the real debate begins.
Because what appears to be a reasonable “alternative method” in theory does not always match operational reality in practice. In some workplaces, the issue is not merely attendance tracking; it is security, auditability and evidence generation.
Ultimately, my criticism is actually quite simple: Why does the first instinct become restriction rather than practical problem-solving?
Consistency in principle decisions is one thing. Failing to sufficiently consider operational realities faced by employers is another.
I would like to conclude with this:
The presumption of innocence is not merely a concept belonging to criminal law. It is also a broader legal perspective.
There is no doubt that data privacy deserves protection. Biometric data is genuinely sensitive data. The Board’s cautious approach is therefore not entirely unreasonable. However, I believe a clearer distinction must be drawn between employers acting in good faith and genuinely abusive practices.
Today, many companies are simply trying to comply with regulations, maintain records, remain audit-ready and continue operating. Especially in shift-based systems, production facilities, logistics operations and construction sites, alternatives that may appear sufficient in theory do not always produce the same practical results.
A legal system should recognize not only violations, but also good faith. Onur Puğ Attorney at Law KVKK & Corporate Counsel



