In light of technological developments, electronic systems are increasingly being used to monitor employees’ entry-exit times and working hours. Particularly in recent years, biometric identification systems such as fingerprint recognition, facial recognition, palm vein recognition, iris or retina scanning have become among the preferred methods for monitoring employee attendance. However, the use of such systems also raises significant legal discussions in terms of the right to protection of personal data.
The “Principle Decision on the Processing of Biometric Data for Attendance Tracking Purposes” of the Personal Data Protection Board, dated 29.04.2026 and numbered 2026/921, requires practices involving the processing of biometric data in employee attendance control systems to be reassessed both in terms of explicit consent and the principle of proportionality.
In this information note, we will address the background of the relevant Principle Decision, its legal grounds, and its potential implications, particularly for employers’ corporate compliance processes.
Background of the Process: Legal Nature of Biometric Data
Under the General Data Protection Regulation and Law No. 6698 on the Protection of Personal Data, biometric data is considered a special category of personal data. The fact that such data is capable of uniquely identifying an individual and, by its nature, cannot in most cases be changed, makes the protection of biometric data highly sensitive.
Within the scope of employment legislation, recording working hours and being able to prove them when necessary is important, and it is clear that employers have a legally protectable interest in this regard. However, the Board emphasizes that recording working hours does not necessitate the processing of biometric data, and that there is no explicit legal provision stipulating that this obligation must necessarily be fulfilled through fingerprint recognition, facial recognition or similar biometric systems.
Therefore, it is not sufficient for biometric data processing activities carried out for attendance tracking purposes to merely rely on a legal basis; such activities must also be separately assessed within the framework of the principles of necessity, proportionality, purpose limitation and data minimization.
What Did the Board Assess and What Grounds Did It Rely On?
When assessing the processing of biometric data for attendance tracking purposes, the Board drew attention to two fundamental points concerning the legal basis of the practice: the validity of explicit consent and the principle of proportionality.
First, it is observed in practice that many employers base their biometric data processing activities on explicit consent obtained from employees. However, the hierarchical relationship and structural imbalance of power between employer and employee raise concerns as to whether the employee’s explicit consent is genuinely based on free will. If an employee believes that they may face adverse consequences if they refuse to provide consent, or if they feel obliged to give consent, such consent may not constitute a valid legal basis.
Second, and more importantly, the Board assessed the processing of biometric data in attendance tracking not only in terms of the validity of explicit consent, but also in terms of the principle of proportionality, even where explicit consent exists. In this regard, the Board stated that processing biometric data is not the only option for ensuring employee attendance control, and that there are less intrusive alternative methods capable of achieving the same purpose.
Indeed, attendance tracking may also be carried out through methods such as password-protected cards or PIN-based systems, RFID/NFC identity cards, traditional signature and paper-based attendance sheets, or manual entry under supervisor control. In the presence of such alternatives, it was concluded that the processing of biometric data would not satisfy the proportionality criterion set out under Article 4 of the Law, even if the explicit consent of the data subjects had been obtained.
In this respect, the most critical outcome of the Principle Decision is that it clearly establishes that the processing of biometric data for attendance tracking purposes cannot be deemed lawful solely on the ground that “explicit consent has been obtained from the employee.”
Higher Court Decisions, Employment Law and the Corporate Compliance Dimension
Although the Principle Decision published by the Board sets forth an administrative authority approach that must be directly taken into account by data controllers, the assessments of the Constitutional Court and the Council of State on this matter also appear as important case law shaping the legal framework of the practice.
In one of its decisions, the Constitutional Court considered the use of a fingerprint system for attendance tracking as an interference with the right to request the protection of personal data within the scope of the right to respect for private life. In the Council of State decision referred to by the Board, the use of a palm vein recognition system was not found lawful, and emphasis was placed on the principle of proportionality.
Within this framework, companies using biometric methods in employees’ entry-exit and attendance control processes must reassess their existing practices not only from a human resources or employment law perspective, but also from the perspective of personal data protection and interference with fundamental rights.
For businesses, conducting attendance tracking through biometric methods will not automatically be deemed lawful, even if consent has been obtained. Companies reviewing their personnel attendance control systems and establishing the balance between the benefit to be obtained and the interference with fundamental rights in accordance with data protection standards has now become not merely a preference, but an essential part of the compliance process for reducing legal risks.
What Does This Mean for Companies?
The Principle Decision requires existing practices to be reassessed, particularly by human resources, administrative affairs, information technologies and data compliance departments.
In this context, companies should first review their existing personnel attendance control system infrastructure. If biometric systems such as fingerprint recognition, facial recognition, iris or retina scanning, or palm vein recognition are being used, it is important to reconsider the legal basis of these practices and the related proportionality assessment.
Where biometric systems are used, merely preparing a privacy notice or obtaining explicit consent will not be sufficient. Data controllers must concretely assess whether biometric data processing is genuinely necessary, whether the same purpose can be achieved through less intrusive methods, and the impact of the processing activity on employees’ fundamental rights and freedoms.
Therefore, companies are advised to establish a transition plan, where possible, towards less intrusive alternatives such as password-protected cards, PIN-based systems, RFID/NFC cards, signature sheets or manual tracking under supervisor control. If existing systems continue to be used, a strong, concrete and documentable justification will need to be put forward as to why such preference is necessary.
Conclusion and Expectations
The Board’s Principle Decision once again demonstrates that biometric data requires a high level of protection due to its nature as a special category of personal data.
The Decision emphasizes that although employers have an obligation to monitor working hours, there is no explicit legal provision requiring biometric data to be processed for the fulfillment of this purpose. Due to the existence of less intrusive methods, it was concluded that the processing of biometric data for attendance tracking purposes may be contrary to the principle of proportionality, even where valid explicit consent exists.
In this regard, the business world, particularly human resources and data compliance departments, should update their existing infrastructure in line with the Principle Decision and higher court case law. Although the integration of technological developments into business processes is inevitable, ensuring that such integration is carried out by taking into account personal data protection law, fundamental rights and freedoms, and the principle of proportionality will be one of the most critical compliance topics in the upcoming period.
You may access the full text of the Decision through this link.