All questions

Data protection

i Requirements for registration

Employees have a right (which they may not waive) to social insurance and consequently their employment must be registered and notified to the Social Security Institution. Information regarding employees is, therefore, recorded and kept by both the government and the employer. The company does not have to submit all the employee information it processes to the government, but it may be obliged to supply certain information to government institutions.

A personnel file must be kept for each employee containing prescribed information, including a certified copy of the employee's national identity card, certificate of domicile, criminal record information, marriage licence, documents concerning family and children, the employment agreement, job application form, graduation certificates and references. To process other personal information, an employee's permission must be obtained. Access to the data related to employees is allowed if it is gained pursuant to a legal obligation.

Employers should take all necessary precautions to prevent the loss, alteration or damage to the information they hold about employees and to prevent the unauthorised dissemination or transfer of the data.

The relevant arrangement of Article 75 of the Labour Law is as follows:

Employee's Personal File: The employer arranges for a personal file for each employee. The employer is obliged to keep the identity particulars of the employees as well as any document and record pursuant hereto and to other laws and submit the same to authorized officials and bodies, when required.
ii Cross-border data transfers

Transferring an employee's data without his or her consent is illegal. The employee can prepare a common use agreement to assist the employers' record-keeping obligations. The database controller is responsible for keeping the information secure.

Regarding the use of personal data, the following provision has been regulated in Article 419 of the Turkish Code of Obligations: 'The employer may only use the personal data of the worker to the extent that it is necessary for the employment of the worker or for the performance of the service contract.'

iii Sensitive data

Health information, social insurance numbers, family information, bank business records or account information can be considered sensitive information and limitations can be placed on the handling of such information, which is regulated by several laws. If these laws are violated, legal action may be taken in the form of security measures and administrative fines for entities, and penal sanctions for individuals.

iv Background checks

Background checks, including credit checks, are permissible, but with certain legal limitations. Attorney–client privilege applies to meetings between a candidate and his or her lawyer.