Av.Erdem Arda Akay

Introduction

»Because of technological developments, the protection of personal data, which affects economic and social life, regulated in our law in almost every area as in other countries. One of these areas is labor law.

»With the Law on Protection of Personal Data published in the Official Newspaper on April 7, 2016 and numbered 29677, a legal framework for the protection of recorded personal data belonging to individuals with whom natural and legal persons interact. The Law on Protection of Personal Data numbered 6698 complies with General Data Protection Regulation (on April 27, 2016 and numbered 2016/679) and Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (on January 28, 1981 and numbered 108). Protection of personal data is very important in terms of privacy and general security.

»According to the principles adopted by the International Labor Organisation (ILO) and accepted in the context of processing personal data of workers in our country; the methods for protecting the personal data of the employees should be developed and the personal data to be processed by the data controllers should be kept to a minimum, and the personal data obtained should be limited to the areas related to the intended job.

Data Controller Registration Procedure for Employers

»The data controller is the natural or legal person who determines the purposes and tools of processing personal data and is responsible for the creation and management of the filing system. The employer person or institution has the title of data controller in the context of processing and protection of personal data. Natural or legal person employers who process personal data shall register with the Data Controllers Registry prior to commencing processing. However, considering objective criteria that shall be designated by the Board such as the characteristics and the number of data to be processed, whether or not data processing is based on any law, or whether data will be transferred to third parties, the Board may set forth exemptions to the obligation to register with the Data Controllers Registry.

Processing of Personal Data Information about Employees and Candidates

Processing of Personal Data by the Employer

»Employers can collect personal data on job applicants and employees for a number of purposes. Examples of these reasons are the evaluation of applicants, the preparation of a personal file, the collection of information on promotion and training for employees, and ensure personal safety, personal security, quality control, customer service and the protection of property.

»The employer may want to know some features related to the candidate for employment, and he intends to decide accordingly. For this, the employer can ask prospective employees about their identity information, knowledge of their place of residence, educational status, and previous work experience. It should be noted that the scope of the information to be learned is related to the job.

»Employee identification information, professional success, continuity and efficiency can be collected by the employer in the form of personal data to be used later on in business. The point to be considered here is that this data is used with the explicit consent of the worker or in exceptional cases, even if consent is not required, in accordance with the good faith. Sharing such personal data will only be possible if third parties have a fair interest.

Employer’s Obligations in the Context of Protection of Personal Data  

In the Context of Turkish Law of Obligations:

»The personal data of the employee in the labor relationship will be processed by the employer and this data can be used when necessary. However, as the employee has certain obligations to the employer due to the employment contract, there are also issues where the employer is under obligation with the contract against the employees. One of them is the obligation of protect the employee.

»In this context, the subject of using personal data of employees is regulated under the title of “Protection of the employee’s personality” in the article 419 of the Turkish Code of Obligations numbered 6098:

“In the use of personal data

ARTICLE 419- The employer may use the personal data of the employee only to the extent that it is related to the worker’s predisposition or is necessary for the performance of the service contract. Special law provisions are reserved.”

»The relevant law provision is valid in terms of employment contracts arranged in the context of labor law, and the processing and use of personal data by the data controller employer will be carried out accordingly. The employee’s personal data won’t be used unless it is mandatory for the employee’s ability to work or the performance of the service contract.

In the Context of Labor Law;

»The employer is obliged to process and protect the personal data of the employees who are working with the employment contract in accordance with the legislation. The most typical example of employees personal data processed by the employer is the employee personal file. In the 75th article of the Labor Law numbered 4857, the issue of the use and protection of the information obtained by the employer to be processed in the employee personal file is discussed:

ARTICLE 75. – The employer shall arrange a personal file for each employee working in his establishment. In addition to the information about the employee’s identity, the employer is obliged to keep all the documents and records which he has to arrange in accordance with this Act and other legislation and to show them to authorised persons and authorities when requested. The employer is under the obligation to use the information he has obtained about the employee in congruence with the principles of honesty and law and not to disclose the information for which the employee has a justifiable interest in keeping as a secret.

==

»Information in the nature of personal data by the employer on matters such as the employee’s identity information, professional success, continuity and productivity can be collected for later use in relation to the job. The point to be considered here is that this employee is collected and used in accordance with the rules of honesty, even if consent is not sought in exceptional cases. Sharing the personal data in question will only be possible if there is a legitimate interest of third parties.

»In the 25th article of the Labor Law, breaking of the employment contract by the initiative of the employer is regulated. In the relevant article; it has been stated that the employer may terminate the contract immediately for a justified reason, if the disease in which the employee is detained is incurable and it is determined that there is a harm in working at the workplace, or if the employee is absent due to a disease or disability arising from his own intentions or unclear life or addiction to alcohol. With the scope of this article, it is seen that the employer has the right to access the health data of the employee for the purpose. However, in accordance with the same article stating that the employer is justified termination, even if the employee misleads the employer by claiming that he / she does not have the qualifications or conditions required for one of the essential points of this contract at the time of the employment contract, or by saying that he / she doesn’t have them, or by saying untrue information or words, It shows that it may request information in the nature of personal data regarding its fundamental issues and basic characteristics of the employee.

In the Context of Occupational Health and Safety Law and regulations:

»The health information of the employee has been counted among the special categories of personal data in the context of Article 6 of the Protection of Personal Data Law. The law stipulates explicit consent for the processing of personal data of special nature, but it is stated that the data related to health and sexual life can be processed for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing. In this context, the legal processing of special categories of personal data, which is also considered as “special categories of personal data”, is of great importance for data controllers.

»The concept of processing personal data covers many data operations such as transferring, storing, protecting and destroying these data. In the Occupational Health and Safety Law No. 6331, the employer is obliged to keep the health information of the employee confidential. In accordance with the last paragraph of the 15th article of the relevant law titled ” Health Surveillance”, the employer is obliged to keep the health information confidential in order to protect the private life and reputation of the employee who was examined.

»In addition, with the regulation, the employer is obliged to keep the records of occupational health and safety activities and the personal health files of the employees. Without other periods specified in the relevant legislation, the employer is obliged to keep all kinds of records regarding occupational health and safety activities carried out in the workplace, and personal health files of employees for at least 15 years from the date of resignation.

»On the other hand, if the employee leaves the workplace and starts working in another workplace, the new employer will request the employee’s personal health file in writing, the previous employer will approve a copy of the file and send it to the new employer within a month. The employer is under the obligation to keep the original copy of the approved book, and the occupational safety specialist and the workplace doctor in other copies. The employer is responsible for signing and keeping the ledger in order, and in case of a possible inspection, the employer must present the approved book whenever the authorized labor inspectors request.

There are some obligations that the data controller employer must comply with while processing the personal data of the employee working with her/him:

Obligation to Inform and Explicit Consent;

»Explicit consent is defined as freely given and informed consent. Explicit consent of the person concerned is required to process personal data, with exceptions. Data processing will only be possible if this explicit consent exists. The consent of the person concerned should be given at the end of an information process. This information will also be carried out in accordance with the obligation to inform regulated in accordance with Art. 10 in Protection of Personal Data numbered 6698.

Limited use of data for specified purposes and times;

»According to the principle adopted in the Law on Protection of Personal Data, the employer is only required to process data essential for the work performed and the execution of the work. The employer will be able to use the personal data of the worker, which he informs in the context of the obligation to inform, in this information, for the purpose and time limited to the worker.

Transferring data to third parties in accordance with the law;

»According to Article 8 of the Personal Data Protection Law, the issue of transferring data is subject to the explicit consent of the person concerned. Personal data shall not be transferred without obtaining the explicit consent of the data subject. But personal data may be transferred without obtaining the explicit consent of the data subject if one of the conditions set forth under the following exists the second paragraph of article 5 and on the condition that adequate measures are taken, the third paragraph of article 6.

Protect the personal data;

»The employer is also responsible for the protection of this personal data information entered into the data system. The employer should take all necessary technical and organisational measures to prevent the illegal processing of personal data, to prevent illegal access to personal data and to ensure the protection of personal data.

Policy Determination by the Employer on the Processing and Protection of Personal Data

»The employer will also be responsible for the security of personal data. In accordance with Article 12 in the Law, data controller to prevent personal data from being processed illegally, to prevent personal data from being accessed illegally and to take all necessary technical and administrative measures to ensure the appropriate level of security to ensure the retention of personal data. In this context, the development of security procedures with technical and legal assistance will prevent data risks.

Sanctions in the Law on Protection of Personal Data Against Employers

»If personal data are not processed in accordance with the provisions of the legislation or if an unlawful result is found, the sanctions that the data controllers will face are shown in the 17th and 18th articles of the Personal Data Protection Law No. 6698.

»In the 17th article of the Law No. 6698, under the title of “Crimes”; data controllers are responsible for the recording of personal data, the illegal delivery or capture of data, crimes not to destroy the data in crime terms.

»In the 18th article of the Law No. 6698, under the title of “Misdemeanors”; data controllers will be responsible and will be punished with administrative fines if they don’t fulfil obligation to inform stipulated in article 10 of this Law, obligations regarding data security stipulated in article 12 of this Law, decisions of the Board as per article 15 of this Law and obligation to register with the Data Controllers Registry and notification stipulated by article 16 of this Law. Administrative fines envisaged by this article shall apply to natural persons and private law legal persons who are data controllers. The Board will rule a penalty in the range specified in the law, based on the financial status of the data controller and the nature of the violation. In addition, the data subject can claim compensation in case of personal damage.

İlgili Makaleler

Scroll to Top
'); w.document.close(); w.print(); });$(document).ready(function() { init(); });})(jQuery);