The Constitutional Court’s (“Court”) Decision dated 12.07.2023 and with application number 2019/34119 has been published in the Official Gazette dated 02.11.2023. This decision concerns the use of a facial recognition system to track the working hours of employees in a public hospital, which allegedly violated the employees' right to demand the protection of personal data within the scope of the right to respect privacy. With this application made by the Union of Health and Social Service Employees ("Applicant"), of which the employees working as civil servants in the relevant hospital are members, it was claimed that the right to be tried within a reasonable time due to the long duration of the proceedings and the right to request the protection of personal data within the scope of the right to privacy were violated by the relevant practice.
Before the dispute was brought to the judiciary, Applicant applied to the relevant hospital and objected to the practice of shift tracking with the facial recognition system and requested the abolition of the practice. Upon the rejection of this request by the hospital, Applicant filed a lawsuit at the administrative court for the annulment of the relevant operation. In this case, Applicant claimed that the data obtained from the employees with the facial recognition system that the hospital started to implement is considered personal data since it leads to the physical identification of the individual, that the explicit consent of the relevant employees was not obtained in the collection and use of this data, and that the hospital's collection of the personal data of the employees with the respective system is unlawful. Furthermore, since there is no assurance that the collected data will not be used in any other manner in the future, it has been claimed that the personal rights of the employees have been violated by the workplace practice in question.
The defendant administration, on the other hand, argued that the relevant hospital is open to the public and is utilized by everyone and that the installation of an automatic surveillance camera system in such places for security reasons or to monitor the attendance of public employees is not a violation of the right to privacy and the right to protection of personal data. It also emphasized that the data collected from the employees were stored within the institution and were not shared with or kept by a third party to whom the devices were supplied. It was stated that the relevant practice is the usage of security cameras in public institutions and organizations in order to carry out the necessary surveillance and inspection services in the context of the peace and tranquility of the institution and the protection of public property, and it was requested to dismiss the lawsuit. Court decided to dismiss the lawsuit by justifying the defendant Institution on the grounds that the relevant data is not shared with third parties, the data of the employees that can be used for policing purposes such as retina or fingerprints are not taken, the workplace application in question is legitimate and appropriate for the purpose, and therefore there is no violation of the law in the relevant application.
The plaintiff filed an appeal against the relevant decision. In the decision dated 20.05.2014 issued by the 5th Chamber of the Council of State, which examined the dispute, it was emphasized that the aforementioned practice is unlawful, while personal data can only be processed under the circumstances of being prescribed by law or with the explicit consent of the person, that there is no explicit consent in the case at hand and there is no legal regulation that allows video recordings to be taken for the time monitoring of civil servants, therefore, there is no proportionality between this practice and the public benefit intended by the institution, and the appeal was accepted, emphasizing that it is contrary to the principle of proportionality. In the decision, it was emphasized that the practice of
monitoring the working hours with the camera recording system as part of the collection of personal data from the personnel is within the scope of the principle of the right to privacy, even if such practice takes place in the public sphere. On these grounds, the decision was reversed and sent to the Court of First Instance. However, the Court of First Instance did not comply with this reversal decision of the Council of State and insisted on its initial decision to dismiss the case. After the plaintiff appealed against this decision of insistence, the Supreme Court reversed the decision by stating that the practice in question was not in compliance with the law. Thereupon, the respondent administration's request for correction of the decision was accepted by the General Assembly of the Administrative Chambers of the Council of State and it was decided to approve the initial court decision, which was stated that it complied with the procedure and the law.
The first claim of Applicant is that the right to be tried within a reasonable time has been violated due to the excessively long duration of the proceedings. In this respect, Court rejected the application on this claim without examining the merits of the claim due to the non-exhaustion of legal remedies. According to the assessment made by Court, in cases with complaints regarding the long duration of the proceedings and late or incomplete execution or non-execution of judicial decisions, the applicants must first apply to the Compensation Commission. In this regard, it was emphasized that the application to Court without first applying to the Compensation Commission is incompatible with the subsidiary nature of the individual application and is therefore inadmissible due to the non-exhaustion of legal remedies.
Regarding Applicant's other claim that the relevant practice violates the right to privacy, Court conducted an assessment within the context of the identity of Applicant. In its assessment, Court stated that under the relevant articles of Law No. 6216 on the Establishment and Trial Procedures of Court, there are two basic prerequisites for an individual application. The first of these is stated as that an actual right of the applicant must have been violated due to the act or transaction or negligence of the public authority, which is the subject of the application and which is alleged to have caused the violation, and that the applicant must claim that he/she has been aggrieved as a result of this violation, and the second is that the applicant must have been personally and directly affected by this violation. Upon examining the application, Court ruled that the application was inadmissible due to a lack of jurisdiction in terms of the personality of Applicant, as it could not be said that an actual and personal right of the legal entity of the union was violated by the relevant practice, considering that Applicant was not the employees whose personal data was used, but the union to which these employees belonged.
This decision of Court is significant in terms of the sensitivity to the point that individual applications for the protection of personal data, which is an extension of the right to respect for privacy, must be filed by the victim who is directly affected by the violation of rights. Unless there is a concrete fact that the rights of the legal entity are directly affected by the transaction subject to the violation, the applications will be decided to be unauthorized in terms of the person of the applicant in line with the precedent decisions.
You may access the relevant decision of Court from this link.