Can Employers Use Retina or Fingerprint Recognition for Attendance Tracking?

Many employers have started using fingerprint recognition and retina recognition as a way of attendance tracking in the last decade. However, as Personal Data regulations worldwide get stricter with time, employers are starting to realize their role as a data controller comes with its own trials and tribulations. One such problem may be resolved by accumulating accurate knowledge of the regulations surrounding the issue within Turkish jurisdiction.

Given that retinal scanning and fingerprint recognition involves the collection and processing of personal data, it falls within the purview of the Law on Protection of Personal Data No. 6698 (“the Data Protection Law”), as published in the Official Gazette Number 29677 on 07.04.2016. Notably, such data is classified as biometric as affirmed by the Council of State below;

15^th Chamber of Council of State Case No. 2014/4562

“Biometric methods encompass identity control techniques realized through measurable physiological and individual characteristics, which can be automatically verified. These methods include fingerprint recognition, palm scanning, hand geometry recognition, iris recognition, face recognition, retina recognition, DNA recognition, etc.…”

i. Data Protection Law and Consent

Once we recognize the classification of fingerprint recognition and retina recognition as biometric data, we shall refer to Article 6 of the Data Protection Law.

Article 6 –

(1) Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data.

For retinal scanning and fingerprint recognition data constitutes a special category of personal data, its processing is subject to stricter conditions, unless performed by a competent public institution for the purpose of public health.

(2) It is prohibited to process special categories of personal data without explicit consent of the data subject.

It is imperative to note that governing bodies and courts meticulously assess the voluntary nature of consent on a case-by-case basis. The stance of the Personal Data Protection Authority emphasizes that, especially in an employee-employer relationship, consent cannot be deemed freely given if an employee is not provided with the opportunity to refuse consent effectively, or if refusal could result in a possible adverse impact on the employee. In the context of retinal scanning for attendance tracking, where attendance is crucial to the employee-employer relationship, employees may not effectively refuse to consent. Consequently, explicit consent in this matter is deemed invalid, posing a tangible risk of litigation, as evidenced by past court judgments.

ii. Stance of Courts and the Personal Data Protection Authority

The aforementioned position of the Personal Data Protection Authority is grounded in Constitutional Court judgments. In a relevant case dated 28.09.2017, Case No. 2016/125, Judgement No. 2017/143, the Constitutional Court emphasized that the biometric data processing method must be necessary, appropriate, and proportional for its intended purpose. In another instance, the Council of State's Plenary Session of the Law Chambers declared a government-run hospital’s fingerprint recognition data processing for attendance tracking unconstitutional (Case No. 2014/2242 Judgement No. 2015/4991 Date 09.12.2015) These decisions are rooted in the fundamental right to privacy enshrined by the Turkish Constitution. Consequently, courts often order the destruction of previously processed data and mandate alternative means of attendance tracking.

It is of great significance to state how Article 4 of the Data Protection Law would be applied to this case as well.

ARTICLE 4 – 

(1) Personal data shall only be processed in compliance with procedures and principles laid down in this Law or other laws.

(2) The following principles shall be complied within the processing of personal data:

a) Lawfulness and fairness

b) Being accurate and kept up to date where necessary.

c) Being processed for specified, explicit and legitimate purposes.

ç) Being relevant, limited and proportionate to the purposes for which they are processed.

d) Being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed.

This article holds paramount significance for the Personal Data Protection Board, specifically in relation to Decision No. 2021/1258 dated 16.12.2021, which debated the same question of whether employers can use biometric data for attendance tracking. The decision in question is about the unlawful processing of the personal data of the data subject by the data controller company who terminated an employee and said employee has filed a complaint about finger recognition and face scanning required to enter work premises.

Personal Data Protection Board ruled, in accordance with the principle outlined in subparagraph (ç) of Article 4 of the Data Protection Law, that data processing should adhere to the principles of relevance, limitation, and proportionality to the intended purpose. The principle of proportionality dictates that processed data should be suitable for realizing specified purposes. Processing personal data unrelated to the intended purpose or deemed unnecessary should be avoided. Data processing should not anticipate future needs, and a reasonable balance must be established between the data processing activity and its intended purpose. In other words, data processing should be limited to what is necessary to achieve the purpose. The data controller should request a minimum level of information from the data subject, aligning with the principle of proportionality and its purpose, while avoiding unnecessary data processing.

The ruling emphasizes that biometric data, such as fingerprint and face scans, are not considered necessary or proportionate for attendance tracking or entering work premises. Biometric data may only be deemed necessary for technical databases, high-security clearances, or similar contexts.

In addition to that, even if the processing of personal data is carried out depending on the consent of the data subject and depends on a specific purpose, explicit consent will not legitimize the collection of excessive amounts of data, accordingly, personal data should only be collected for specific purposes and as much as necessary, used where required by the purpose and not kept for longer than necessary for the purpose. In this direction, it is disproportionate to the need to ensure the security of the company employees stated by the data controller as the reason for processing the fingerprint and face scan data of the person concerned, and that the processing of biometric data by the data controller is not in accordance with the principle of proportionality, one of the general principles of Data Protection Law while it is possible to achieve the same purpose with methods such as magnetic card readers and checklists that do not require the processing of biometric data. Seeing that security reasons are not deemed proportionate for biometric data processing; we can surmise that neither will attendance tracking be acceptable even with explicit consent.

iii. Conclusion

In conclusion, the use of fingerprint recognition and retina recognition for attendance tracking by employers has become a prevalent practice, but it is not without its challenges, particularly in light of evolving personal data regulations. Aside from the established stances of the High Courts on this matter, it is crucial to acknowledge that, apart from potential court costs, Article 18 of the Data Protection Law outlines various administrative fines. These fines may be imposed for events such as failure to provide an effective means of consent and neglecting to implement necessary technical and administrative measures to prevent personal data from being accessed by third parties.

In short, utilizing retinal scanning and fingerprint recognition for attendance tracking carries substantial risks of litigation and administrative fines. This topic has been brought forward to courts many times, and the High Courts have reached a consensus. The conclusion drawn from the legal landscape in Türkiye is that employers using biometric data for attendance tracking should carefully assess the necessity, proportionality, and alternative methods available. The explicit consent of employees may not suffice even if seems to be freely given on the surface, and the processing of biometric data should align with the overarching principles of the Data Protection Law. As regulations continue to evolve, employers need to stay vigilant and compliant to avoid potential litigation and ensure the protection of individual privacy rights.