Turkish Law Blog

“Conducting a Reference Check” and “Giving a Reference” in a Recruitment Process within the scope of the Turkish Legislation on the Protection of Personal Data

Zeynep Tuncer Zeynep Tuncer/ University of Fribourg
25 November, 2019
559

Part I: A general overview in the form of questions and answers

In principle, there are no obligations arising out of an employment relation between a potential employee and a potential or prospective employer unless an employment agreement is concluded. Similarly, all obligations between an employee and an employer arising out of an employment relation end upon the termination of the employment agreement. Nevertheless, some obligations referred to as pre pactum and post pactum obligations exist and continue existing even before the conclusion of the employment agreement and survive the termination thereof. For instance, in cases where the potential employer[1] would be processing the candidate’s personal data such as his/her identity, contact details or educational background, the potential employer would be under the obligation to process the relevant personal data in line with the Law on the Protection of Personal Data no. 6698 and the secondary legislation (the “LPPD”) thereunder. In other words, while calling the candidate’s former employer for a reference check and sharing with (transferring to) such former employer the candidate’s personal data such as identity information, the potential employer has to comply with the LPPD.

In a similar way, the former employer has to retain information and/or documents included in the employee’s personal file until the end of the prescription periods set forth in the relevant legislation for such information and/or documents. Considering that personal data such as identity information, passport photograph or criminal record is included in the employees’ personal file, the former employer has to retain the relevant information and/or documents in line with the provisions of the LPPD, and to erase, destruct or anonymize the relevant data upon the end of their prescription periods. In addition, in cases where the former employer[2] accepts giving a reference for the candidate to the potential employer and, in this extent, decides to share with (transfer to) the potential employer the candidate’s personal data such as his/her working conditions, attendance or performance, such sharing (transfer) should be made in line with the provisions of the LPPD.

The general rules to be abided by while “conducting a reference check” and “giving a reference” as well as the consequences of not abiding by such rules have been examined in the form of questions and answers throughout this article. Specific questions such as the nature of the references indicated in resumes or data processed based on information published in candidates’ social medias will be examined in the next article.

1. Is “conducting a reference check” and “giving a reference” obligatory for the potential employer and the former employer?

Article 28 of the Turkish Labor Law no. 4857 (the “Labor Law”) sets forth that the employer shall deliver to the employee leaving his/her job a “certificate of employment”. Such certificate shows the nature of the duty performed by the employee and the duration of the employee’s employment at the relevant workplace. The Labor Law and the general legislation does not stipulate any obligation other than the delivery of such certificate of employment for the employer towards the employee leaving his/her job. In other words, the former employer is not obliged to give a reference for his/her former employee even if the former employee requests such a reference.

Similarly, no obligation to conduct a reference check is stipulated for the potential employer under the general legislation. Nevertheless, such obligation may arise out of the workplace policies.

As it can be observed, conducting a reference check and giving a reference is voluntary for the potential employer and the former employer. However, if the former employer and the potential employer decide with their own free will to be involved in a reference process, they have to share the personal data in line with the provisions of the LPPD

2. Why “Conducting a reference check” and “giving a reference” is considered within the scope of the LPPD?

Article 2 of the LPPD describes its scope of application. As per the relevant article, the provisions of the LPPD shall apply “to natural persons whose personal data are processed as well as to natural or legal persons who process such data fully or partially through automatic means or, provided that the process is a part of any data registry system, through non-automatic means.”

As understood from the above-referred article, the provisions of the LPPD shall apply (i) if there is personal data of a natural person, (ii) if there is a natural or legal person processing such personal data and (iii) if the relevant personal data is processed in a data registry system. In addition, “conducting a reference check” and “giving a reference” should also be considered as a data processing activity (iv) within the scope of the provisions of the LPPD.

2.1. Personal data transferred when “conducting a reference check” and “giving a reference” are personal data of natural persons

The LPPD includes the definitions of both “personal data” and “personal data of special nature”.

The definition of “personal data” stated in the LPPD is rather wide. Indeed, as per the definition given under Article 3 of the LPPD, personal data mean “all the information relating to an identified or identifiable natural person”. As it can be seen, a “personal data” may be all kinds of data making the identification of a natural person possible such as his/her name and surname, date and place of birth, e-mail address, profession, performance at work, attendance, nickname (if any) or educational background. When defining the notion of “personal data”, the legislator has not made a numerus clausus enumeration.

Contrarily, the definition of “personal data of special nature” is not so wide. As per the definition given under Article 6 of the LPPD, “personal data of special nature” mean “personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data”. In other words, personal data of special nature are the data which may lead to a risk of discrimination for the natural person if his/her personal data is processed.

It is general practice that, during a recruitment process, the potential employer, which conducts a reference check, shares with the former employer the identity information of the candidate and requests, in return, detailed information about the candidate from the former employer. In addition, in case the position for which the candidate is evaluated requires some specifications, it is also of frequent nature that the potential employer requests data related to the candidate’s health or memberships, which constitute personal data of special nature. Thus, the data shared by the potential employer with the former employer are personal data of a natural person such as his/her name and surname.

Similarly, the former employer also shares with the potential employer the candidate’s personal data such as his/her performance in the former workplace, his/her attendance, disciplinary records, reason(s) for leaving, personality, character or working conditions. Such data are also personal data within the scope of the LPPD since they enable the identification of a natural person. Further, where required by the circumstances, the former employer can also provide the former employer with some data related to the health or memberships of the candidate. Such data are personal data of special nature as they are considered within the scope of Article 6 of the LPPD.

2.2. Candidates’ personal data are processed by the former employer and (generally) by the potential employer

Pursuant to the provisions of the LPPD, personal data can be processed either by the data controller or the data processor. As per the definition given under Article 3 of the LPPD, the data controller is “the natural or legal person who determines the purpose and means of processing personal data and is responsible for establishing and managing the data registry system”. The Guidelines on the “Data Processor and Data Controller”[3] sets forth some criteria to determine the data controller. According to the relevant Guidelines, the potential employer and the former employer can be considered as data controllers, provided that the below general criteria are fulfilled:

  • The collection and collection method of the personal data,
  • The types of personal data to be collected,
  • The purposes of use of the personal data,
  • Which natural persons’ personal data will be collected,
  • Whether the personal data which have been collected will be shared/transferred and if so, the persons with whom they will be shared/transferred, and
  • How long the personal data which have been collected will be retained.

The former employer himself/herself decides on all of the above-stated issues, and thus is a data controller. Indeed, the former employer has already requested from the former employee his/her personal data as per the provisions of the legislation (and maybe other personal data which are not mentioned in the legislation) in order to prepare his/her employee personal file, processed the relevant personal data and even if the employee has left his/her job, the former employee is still under the obligation to retain the relevant personal data until the end of the prescription periods stipulated in the legislation.

Contrary to the former employer, a case-by-case examination should be carried out regarding the potential employer. As a matter of fact, if the potential employer registers all or a part of the candidate’s personal data through automatic means or, provided that the process is a part of any data registry system, through non-automatic means, and if he/she decides which one of the personal data will be transferred and how long they will be retained, then the potential employer will be deemed as a data controller, as he/she fulfills the above-stated criteria. Such examination should be made carefully, since calling the former employer for a reference check regarding the candidate gives important tips regarding the fact that the candidate’s personal data have been processed by the potential employer in a data registry system as specified under the LPPD.

2.3. Personal data are processed by the former employer and (generally) by the potential employer in a data registry system

As stipulated above, the data controller processes the personal data “fully or partially through automatic means or, provided that the process is a part of any data registry system, through non-automatic means”. It should first be underlined that a “data registry system” means the processing of personal data by being structured according to certain criteria. Registering all the job applications in an alphabetical order may be given as example to illustrate “by being structured according to certain criteria”. In other words, “processing of personal data by being structured according to certain criteria” may be defined as processing the relevant data under a defined categorization.

The categorization referred to above can be made either automatically or manually. In both cases, there is a data registry system. Processing data automatically or through electronic means implies the automatic registration under certain categorization of personal data uploaded to an electronic instrument like a computer through a software installed on the said electronic instrument which contains some algorithms, and which enables such automatic categorization without human interference. Contrary to this method, processing data manually means the registration of personal data under a certain categorization with human interference. For instance, filing job applications made over a year in a chronological order can be given as example to illustrate the manual processing.

Upon evaluation of the situation from the former employer’s point of view, there is almost no doubt that the former employee’s personal data is processed in a data registry system, since the former employer is under the obligation to retain his/her employees’ personal data obtained based on the requirements of various legislations such as tax, occupational health and safety or social security legislations.

Contrary to the former employer, a case-by-case evaluation should be carried out for the potential employee to determine whether the personal data is processed in a data registry system. Personal data will be deemed registered in a data registry system in case they are systematically classified either automatically or manually.

2.4. “Conducting a reference check” and “giving a reference” is considered as “data processing” or “data transfer” within the scope of the LPPD

As per the provisions of the LPPD, “conducting a reference check” and “giving a reference” are deemed as “transfer of personal data”, which means the transfer of personal data either in Turkey or abroad by a data controller to another data controller. Such transfer may be verbal or in writing. For this reason, a call given, or an e-mail or mail sent by the potential employer to the former employer, or even the questions addressed to the former employer by the potential employer upon running across at a shopping center or during a walk are all considered within the scope of the LPPD.

Processing of personal data is defined under Article 3 of the LPPD as “any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or, provided that the process is a part of any data registry system, through non-automatic means”. As can be understood from the definition, the “transfer of personal data” is deemed under the LPPD as a data processing activity subject both to general and special rules.

3. Which general and special rules should be followed while conducting a reference check and giving a reference?

The general rules (3.1) and special rules (3.2) stipulated under the LPPD are examined separately throughout this article.

3.1. General principles: conditions for processing personal data

The general principles regarding the processing of personal data are stipulated under Article 4 of the LPPD. According to this article, the below-stated principles shall be observed within the processing of personal data:

  • Lawfulness and conformity with rules of bona fides.
  • Accuracy and being up to date, where necessary.
  • Being processed for specific, explicit and legitimate purposes.
  • Being relevant with, limited to and proportionate to the purposes for which they are processed.
  • Being retained for the period of time stipulated by relevant legislation or the purpose for which they are processed.

Upon evaluation of the above principles from the potential employer’s point of view, it can be noticed that the principle of “being relevant with, limited to and proportionate to the purposes for which they are processed” is generally not taken into account, as the potential employer is used to share with the former employer his/her own opinions about the candidate, which are generally directly related to the personality and private life of the candidate, and not to the position for which the candidate is being assessed. However, the potential employer is (generally) not entitled to share personal data which are not related to the position for which the candidate is being assessed.

Similarly, when the above principles are evaluated from the former employer’s point of view, it can be noticed that the principle of “lawfulness and conformity with rules of bona fides” is generally not taken into account, as leaving a job can sometimes be perceived as a “treason”, which makes the former employer share with the potential employer some personal data of the candidate without taking into consideration the candidate’s reasonable expectations and interests, and this generally gives rise to some unexpected results for the candidate.

3.2. Special rule: explicit consent

Regarding the processing of personal data, Article 5 (1) of the LPPD sets forth that “Personal data cannot be processed without the explicit consent of the data subject” and Article 6 (2) of the LPPD stipulates that “It is prohibited to process the personal data of special nature without explicit consent of the data subject.”.

Similarly, regarding the transfer of personal data inside Turkey, Article 8 (1) of the LPPD sets forth that “Personal data cannot be transferred without explicit consent of the data subject” and regarding the international transfer of personal data, Article 9 (1) of the LPPD states that “Personal data cannot be transferred abroad without explicit consent of the data subject”.

As it can be observed, the explicit consent of the candidate should be obtained either by the former employer or the potential employer if his/her personal data will be transferred by way of “conducting a reference check” or “giving a reference”.

Article 3 of the LPPD defines “explicit consent” as a consent that relates to a specified issue, is based on information and declared by free will. Within this scope, when a potential employer conducts a reference check, the potential employer shall first inform the candidate on the purpose of this reference process and ask for the candidate’s explicit consent on the relevant issue. Similarly, when a former employer will give a reference, the former employer shall inform his/her former employee on the purpose of the reference process and request the former employee’s explicit consent in this respect. In other words, when asking for the explicit consent of the candidate, the potential employer and the former employer bear an obligation to inform the candidate. The obligation to inform the candidate is a sine qua non condition for asking the candidate’s explicit consent. Similar to the explicit consent, the obligation to inform should be fulfilled by the data controller each time a personal data is requested, which means that the obligation to inform cannot be fulfilled on a general basis, but “apiece”.

The LPPD does not provide for any form requirement regarding the explicit consent and the obligation to inform. Thus, the obligation to inform can be fulfilled and the explicit consent can be obtained verbally, in writing, on an electronic platform or by any other means. However, the burden of proof is on the potential employer and the former employer, who shall demonstrate that they have fulfilled their obligation to inform the candidate and obtained his/her explicit consent. However, some exceptions to the obligation to obtain the data subject’s (the candidate’s) explicit consent are set forth in the LPPD.

4. Which are the exceptions to the obligation to obtain the candidate’s explicit consent?

There are certain differences stipulated under the LPPD regarding the transfer of the personal data inside Turkey (4.1) and the international transfer of the personal data (4.2). It should be noted that, even if the former employer or the potential employer is exempted from obtaining the candidate’s explicit consent, their obligation to inform them remains.

4.1. Exemptions regarding the transfer of personal data inside Turkey

As explained above, the candidate’s explicit consent should be obtained when conducting a reference check or giving a reference, both of which corresponds to a transfer of data. Nevertheless, pursuant to the 2nd paragraph of the 5th article of the LPPD, the candidate’s personal data may be processed without seeking the explicit consent of the candidate only in cases where one of the following conditions is met:

  1. it is clearly provided for by the laws,
  2. it is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving his consent or whose consent is not deemed legally valid,
  3. processing of personal data belonging to the parties of a contract, is necessary provided that it is directly related to the conclusion or fulfilment of that contract,
  4. it is mandatory for the controller to be able to perform his legal obligations,
  5. the data concerned is made available to the public by the data subject himself,
  6. data processing is mandatory for the establishment, exercise or protection of any right, and
  7. it is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

Even if the above-stated exemptions shall be evaluated on a case-by-case basis regarding the potential employer who conducts a reference check and the former employer who gives a reference, the most common exemption in a recruitment process is the one stated under (vii) above. The relevant exemption is applicable only if the potential employer and the former employer have a current legitimate interest and if the legitimate interest of the employers does not violate the fundamental rights of the candidate. In brief, the legitimate interest of the employer should not endanger the candidate’s right to work, and in this sense, the transfer of the candidate’s personal data should not cause unexpected results for the candidate. For this reason, the relevant exemption should be well-evaluated and the balance between the employers’ legitimate interests and the candidate’s fundamental rights should be well-observed.

Similarly, some exceptions are also stipulated in the LPPD for personal data of special nature. Accordingly, the 3rd paragraph of Article 6 of the LPPD sets forth that the candidate’s personal data of special nature may be transferred inside Turkey without seeking the explicit consent of candidate only in cases where one of the following conditions is met:

  1. Personal data, excluding those relating to health and sexual life, may be processed in the cases provided for by laws, and
  2. Personal data relating to health and sexual life may only be processed by any person or authorized public institutions and organizations that have confidentiality obligation, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.

As it can be observed, benefitting from such exemptions does not seem “very” possible unless the potential employer and the former employer are employers such as the Social Security Institution or a hospital, which is active in a field enabling the processing of personal data of special nature.

4.2. Exemptions regarding the international transfer of personal data

There are certain difference stipulates under the LPPD regarding the transfer of the personal data in countries with sufficient level of protection (4.2.1) and the transfer of personal data in countries without sufficient level of protection (4.2.2).

4.2.1. Exemptions regarding countries having a sufficient level of protection

Pursuant to the provisions of the LPPD, the countries with sufficient level of protection will be announced by the Personal Data Protection Board (the “Board”). Even if the relevant countries have not been announced yet, the Board announced in its decision no. 2019/125 dated 02.05.2019 the “the form to be used for determining the countries having a sufficient level of protection”[4] (the “Form”). As per the information included in the Form, criteria such as the reciprocity between Turkey and the relevant country, the relevant country’s personal data protection legislation and practice or the existence of an independent personal data protection authority in the relevant country will be taken into account in determining whether a country has a sufficient level of protection.

In case the country which the candidate’s personal data will be transferred to has a sufficient level of protection, the exemptions regulated for the transfer of personal data inside Turkey will be applied identically[5].

4.2.2. Exemptions regarding countries not having a sufficient level of protection

Countries which do not have a sufficient level of protection will be those not listed in the announcement to be made by the Board. In such a case, personal data may be transferred abroad without the candidate’s explicit consent provided that;

  • One of the exemptions stipulated for the transfer of the personal data inside Turkey exists,
  • The potential employer or the former employer in Turkey and in the related foreign country guarantee a sufficient protection in writing (the minimum elements to be mentioned in the guarantee to be given by the potential employer or the former employer in Turkey and in the related foreign country have been announced by the Board[6]), and
  • The Board has authorized such transfer.

As can be seen from the above explanations, both the potential employer and the former employer should obtain the explicit consent of the candidate unless one of the above-stated exemptions is applicable. In case of non-compliance with these rules, the sanctions stated under the LPPD will be applicable.

5. Which are the administrative and penal sanctions to be applied in case of non-compliance with the provisions of the LPPD?

The LPPD stipulates both administrative and penal sanctions to be applied in case of non-compliance with the provisions of the LPPD.

Article 17 of the LPPD regulates breaches referred to as “crimes” and stipulates that imprisonment from 2 years to 4 years can be imposed in case of transfer of personal data to a person through a violation of the law. In case the potential and/or the former employer is a legal entity, security measures prescribed in the Turkish Penal Code shall be applicable.

Article 18 of the LPPD regulates breaches referred to as “misdemeanors” and stipulates that an administrative fine from TRY 7,350 to TRY 147,000 can be imposed on the potential employer and/or the former employer in case they do not fulfill their obligation to inform the candidate[7].

Conclusion

“Conducting a reference check” and “giving a reference” during a recruitment process were considered in our country by the majority as a right for the employers, and the candidates’ personal data transferred during this recruitment process were of secondary importance. In fact, it was accepted in the doctrine that the candidate’s consent should be obtained only if the candidate would have made a job application while still working and if obtaining a reference from his/her current employer was necessary[8]. The fact that the candidate’s personal data were also processed by the potential employer was not even taken into account.

The LPPD has introduced a new perspective to this issue and placed the candidate’s personal data into the forefront. In this way, “conducting a reference check” and “giving a reference” are no more considered as a “right” for the employers but knowing which of his/her personal data are processed is considered as a “right” for the candidates. Within this scope, the employers conducting a reference check and giving a reference should comply with certain rules.

The general legal framework has been examined throughout this article in order to show that “conducting a reference check” and “giving a reference” in a recruitment process is considered within the scope of the LPPD. However, the above-stated general rules should be interpreted on a case-by-case basis during a recruitment process. This is why the frequently used methods while “conducting a reference check” and “giving a reference” will be examined in the light of the provisions of the LPPD in the next article.


[1]        The employer conducting a reference check is referred to as the potential employer and the employer giving a reference is referred to as the former employer throughout this article.

[2]        In case the candidate makes a job application while he/she is still working, the former employer shall be considered as the current employer, and the current employer shall also act in compliance with the provisions of the LPPD.

[3]        Please see the following link to Access the relevant Guidelines: https://kvkk.gov.tr/SharedFolderServer/CMSFiles/f63e88cd-e060-4424-b4b5-f6413c602060.pdf (last access date: 07.11.2019).

[4]        To see the relevant Form, please see the following link: https://www.kvkk.gov.tr/Icerik/5470/Kisisel-Verileri-Koruma-Kurulu-nun-Yeni-Yayinlanan-Karari (last access date: 10.11.2019).

[5]        As per the 5th Paragraph of Article 9 of the LPPD, “In cases where the interests of Turkey or the data subject will seriously be harmed, personal data, without prejudice to the provisions of international agreements, may only be transferred abroad upon the permission to be given by the Board after receiving the opinions of related public institutions and organizations.”. Considering that such sensitive personal data are generally not transferred during a recruitment process, this issue has not been explained in the article.

[6]        To see the minimum elements, please click on the following link: https://www.kvkk.gov.tr/Icerik/5255/Taahhutnameler (last access date: 10.11.2019).

[7]        These are the administrative fines applicable in 2019.

[8]        UNCULAR, Selen, Kişisel Verilerin Korunması Kanunu ve AB Genel Veri Koruma Tüzüğü Kapsamında İş İlişkisinde İşçinin Kişisel Verilerinin Korunması, Edition Seckin, 2nd Edition, Ankara 2018, p. 208.

Leave a comment

Please login or register to comment

Comments