Data Protection and Labor Law Compliance for Internal Investigations

Upon the enactment of the Turkish Data Protection Law No. 6698[1] (“DP Law”) in 2016, compliance with the data processing principles and procedures set out under the DP Law has become one of the most popular topics with respect to Turkish law. The Personal Data Protection Board’s (Kişisel Verileri Koruma Kurulu) various regulations, decisions, principles, and guidelines, as well as the Turkish courts’ precedents, have paved the way for a more precise implementation of the DP Law over the last few years. As a result of such developments, the DP Law together with the Turkish Labor Code No. 4857 (“Labor Law”)[2] have become increasingly important when it comes to conducting internal investigations where processing employees’ personal data stands out as one of the main concerns for employers.

Within the scope of internal investigations, it is highly crucial for employers to comply with employees’ rights arising from the Constitution of the Republic of Turkey, the DP Law, the Labor Law, and all other applicable legislation. This is because employers’ failure to maintain compliance with employees’ rights may lead to both the imposition of administrative fines as well as the investigation findings being regarded as inadmissible for other labor law related matters, such as using the findings as the basis for termination of the employment relationship. These consequences make it important for companies to be well-prepared for internal investigations by implementing the adequate legal measures both before and during an internal investigation. In this article, we will walk you through some of the corporate steps that should be followed in order to ensure compliance with the DP Law and the fundamental rights of employees during an internal compliance review/investigation process in light of the principles laid out by the Turkish Constitutional Court (“Court”) in its recent decision[3] involving an employee’s individual application for a decision rendered by the court of first instance.

The Turkish Constitutional Court’s Decision on the Inspection of Company-issued Communication Devices

The Turkish Constitutional Court very recently rendered a decision with respect to an employee’s individual application regarding the inspection of employee corporate e-mail accounts which also set out the general principles regarding the balance between an employer’s right to conduct a compliance review on company-issued communication devices and the employee’s right to privacy. Employers should carefully review these principles and implement the respective legal actions, some of which are listed under the “Actions for Internal Investigation” section below, to ensure the lawful application of an internal investigation.

In its decision, the Court set forth certain assurances that must be provided with respect to the protection of personal data and the freedom of communications when inspecting the content of employee corporate e-mail accounts and using such content as a basis for termination of the employment relationship. The Court emphasized that employers do not have an unrestricted right to review and inspect communication devices issued to employees based on the fact that such communication devices belong to the employer, as this approach is not in line with employees’ rightful expectation that their fundamental rights and freedoms should be respected in the workplace in democratic societies.

According to the Turkish Constitutional Court decision, employers who intervene in employees’ fundamental rights and freedoms must provide the following assurances:

• Legitimate Grounds. There should be legitimate reasons justifying the inspection of the communication devices that employers provided their employee and the content of the communications made through such devices.
• Last Resort: In order for an employer to intervene in an employee’s right to data protection and the freedom of communication to be deemed legitimate, such intervention should be mandatory to achieve the purpose of the investigation and there must not be a less intrusive method available to achieve the same results.
• Transparency: The processing of personal data should be carried out in a transparent manner and the employer should notify employees of any processing activities in advance. Such notification should at a minimum include the legal grounds for the inspection, the purposes for the inspection, the scope of the inspection, the results of the inspection with respect to the employee’s communication and the processing of personal data, the retention period for such personal data, the rights of the data subject, and any potential beneficiaries of the personal data.
• Proportionality: The conflicting interests and rights of the parties should be fairly balanced taking into consideration the consequences and impact the inspection of the communication may have on the respective employee.

Actions for an Internal Investigation

In light of the aforementioned assurances set out by the Turkish Constitutional Court, employers should implement the adequate legal actions to avoid any legal implications that may arise from conducting an internal investigation. The following is a list of some of the legal actions that should be implemented to ensure lawfulness during an internal investigation:

• Identifying the scope and size of the investigation: It is essential that employers develop an investigation plan to identify the scope and size of the investigation, including the investigative team to be involved, and to outline the steps that will be followed within the scope of the investigation. Such a plan will be useful to tailor and keep track of the steps of the investigation in order to ensure the overall proportionality of the investigation. It is advisable that the internal investigation be conducted by a limited group of people, including the selected independent attorneys and consultants, and that the individuals involved should also be mentioned in the plan if possible.
• Reviewing internal compliance policies and procedures and employment agreements: Employers should implement or update internal compliance policies and procedures to inform employees that the personal data stored in their company-issued devices may be inspected by the employer and be transferred to third parties. Employers should ideally present the Turkish versions of such policies and procedures to employees in exchange for their signature as part of their employment contracts.
• Providing notice to employees and respecting the cross-border data transfer regime: Although it is recommended that the scope of the investigation not be extended to employee personal data, there may be circumstances where the employer needs to access personal data to conclude the investigation. In that respect, it is critical for employers to provide prior notice to employees with respect to the investigation for the purposes of providing them a general idea of what their privacy expectation should be and to strengthen the legitimacy of the data controller’s interference with the relevant data. Any data collected as part of the investigation should be in line with the employees’ reasonable expectations of privacy. Therefore, the investigation should refrain from including areas that employees would reasonably expect privacy, such as private conversations, unless there are reasonable and legitimate grounds to include such areas in the investigation.
  • The notice to be served to the employees should at least provide information on the following items as required by the Turkish Constitutional Court for transparency purposes: (i) the legal grounds for the inspection as well as the purposes for the inspection, (ii) the scope of the inspection, (iii) the results of the inspection with respect to the employee’s communication and the processing of personal data, (iv) the retention period for such personal data, (v) the rights of the data subject, and (vi) any potential beneficiaries of the personal data.
  • If the data that is subject to the investigation will be accessed from outside of Turkey, the employer must also take into consideration the data transfer regime available under the DP Law. In a nutshell, the DP Law currently restricts the transfer of personal data outside of Turkey and personal data may only be transferred outside of Turkey if (i) the receiving country is declared by the Turkish Data Protection Authority (“DPA”) as a country that provides adequate protection in terms of data protection, (ii) the data exporter and data importer signs an agreement, undertaking such adequate protection and obtains the approval of the DPA, or (iii) the individual subject to the data transfer grants his/her explicit consent.
• Adopting the necessary corporate actions: The board of directors or a similar corporate body within a company should adopt a resolution on initiating an internal investigation and sign an engagement letter with the independent consultants to be involved in the internal investigation.
• Conducting witness interviews with due care: Following the data collection process, the employer may need to conduct witness interviews involving employees. Although there are no specific rules regarding internal investigations or fact-finding interviews under Turkish law, it is usually accepted that an employer can conduct an internal investigation involving witness interviews with employees as part of its managerial and supervision rights subject to the general principles of the data protection, employment, and criminal laws. Although there is no legal requirement to obtain employee consent prior to an interview, it is advisable that written consent be obtained from the relevant employees before the interview to avoid any potential allegations or claims. This consent should ideally be obtained right before the interview starts without any prior notice so that the employees do not have time to collectively prepare for their statements. Since employees always have the right to remain silent, employers cannot force existing or former employees to participate in such interviews; however, existing employees are expected to participate due to their duty of care and loyalty to protect the interests of the employer.
  • The interviews can be recorded by those conducting the investigations so long as the relevant employees are clearly informed of the purpose of the recording and how the recording may be used and if the employee provides explicit consent. The same applies to any recording made by the relevant employees (i.e., consent is required from those running the investigation or interview). However, in practice, companies do not usually prefer recording interviews as this may prevent the relevant employees from telling the truth due to the added pressure they may feel. If the interview is not recorded, then interview minutes should be prepared and presented to the relevant employee for any suggested revisions and signature. If an employee refrains from signing the minutes, this should also be recorded in writing.
• Labelling the Investigation findings: All findings, investigation notes, reports, e-mails, and other correspondence should be labelled as “confidential – attorney-client privileged” and should be kept primarily in a location where privilege protection can be sought.