Personal Data Protection Board’s (“Board”) Principle Decision dated 29 April 2026 and numbered 2026/921 on the “Processing of Biometric Data for Attendance Tracking Purposes” (“Principle Decision”) entered into force upon its publication in the Official Gazette dated 2 June 2026. Through the Principle Decision, Board comprehensively assessed the use of biometric identification systems for employee attendance tracking in light of the lawfulness requirements set forth under the Turkish Personal Data Protection Law No. 6698 (“DP Law”).
I. Concept and Definition of Biometric Data
In the Principle Decision, the concept of biometric data was examined considering both national legislation and international regulations and practices, and assessments were made regarding the definition, scope and distinguishing characteristics of biometric data.
- Pursuant to the Law on Civil Registration Services No. 5490, biometric data is defined as person-specific data obtained from fingerprints, vein patterns and palm prints for the purpose of identity identification and verification through electronic systems.
- Under the General Data Protection Regulation (“GDPR”), biometric data is defined as personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allows or confirms the unique identification of that person, such as facial images or dactyloscopic data.
Board also referred to various categories of biometric data and examples thereof in the Principle Decision:
- Physiological biometric data: fingerprints, retina and iris data
- Physical biometric data: observable physical characteristics such as facial and hand geometry
- Behavioral biometric data: voice patterns, signature dynamics and keyboard usage habits
The irreversible nature of biometric data was also particularly emphasized. In this regard, Board noted that, once unlawfully obtained, such data cannot be altered or recreated, thereby creating serious and irreparable risks for data subjects.
II. General Principles and Legal Grounds for the Processing
Biometric data constitutes special categories of personal data under Article 6 of the DP Law, and the processing of such data is prohibited as a rule. Accordingly, any biometric data processing activity may only be carried out where at least one of the legal grounds set forth under Article 6 of the DP Law exists.
In addition, the Principle Decision underlined that, considering the inherently high-risk nature of biometric data, relying solely on a valid legal ground would not be sufficient. In this respect, data controllers are also required to fully implement the adequate technical and organizational measures prescribed under Board’s Decision dated 31 January 2018 and numbered 2018/10[1].
III. Processing Conditions and Security Measures
a. Nature of Interference
In the Principle Decision, Board further assessed the processing of biometric data for attendance tracking purposes considering the general principles set forth under Article 4 of the DP Law. In this respect, Board stated that:
- Attendance tracking may also be achieved through less intrusive methods such as password-protected cards, PIN systems, attendance sheets or RFID/NFC card systems, and therefore biometric data processing cannot be considered necessary or the least intrusive method
- Although attendance tracking constitutes a limited administrative purpose, biometric data processing represents an intensive interference capable of producing severe and irreversible consequences for data subjects
- The possibility of combining biometric data with other processing activities or using such data for secondary purposes increases data security and misuse risks
Accordingly, Board concluded that the processing of biometric data for attendance tracking purposes is incompatible with the principles of relevance, proportionality and data minimization.
b. Legal Basis Concerns
In the Principle Decision, the legal basis for processing biometric data for attendance tracking purposes was assessed mainly from two perspectives. In this regard, Board stated that:
- although employers are required under the Labor Law and secondary legislation to monitor and record working hours, the relevant legislation does not establish an explicit normative basis requiring or expressly permitting the use of biometric identification systems and therefore such processing cannot be deemed to fall within the legal ground of “explicitly provided for by law” under Article 6 of the DP Law;
- while such processing activities are generally structured on the basis of explicit consent in practice, due to the structural dependency inherent in the employment relationship, employees cannot, in most cases, exercise genuine free will when giving or withdrawing consent.
In conclusion, the Principle Decision clearly establishes that the processing of biometric data for attendance tracking purposes neither satisfies the processing conditions under Article 6 of the DP Law nor complies with the general principles set forth thereunder. Accordingly, structuring biometric identification systems as optional or alternative mechanisms does not alter the legal assessment in this respect. Board also highlighted that data controllers are required to implement the necessary technical and organizational measures in relation to biometric data processing activities and noted that non-compliance with such obligations may result in administrative fines under Article 18 of the DP Law (up to TRY 17,092,242 for 2026).
You may access the full text of the Principle Decision here. (Only available in Turkish)
[1] Board Decision dated 31/01/2018 and numbered 2018/10 on the Adequate Measures to be Taken by Data Controllers in the Processing of Special Categories of Personal Data (Only available in Turkish)
