Tracking employees’ entry and exit times is a legitimate need for employers in terms of work organization and payroll processes. However, meeting this need does not automatically make the processing of employees’ biometric data lawful. The Personal Data Protection Board’s (KVK Kurulu) Principle Decision No. 2026/921, published in the Official Gazette dated 02.06.2026, establishes as a clear principle that biometric data should not be used for time tracking purposes.
What Does the KVK Kurulu’s Principle Decision No. 2026/921 Mean?
The Board’s principle decision directly addresses practices involving the use of biometric data in employee time tracking. Accordingly, employers should not process biometric data for the purpose of monitoring employees’ attendance.
This assessment is particularly important for workplaces that use fingerprint, palm print, facial recognition, or similar biometric verification methods. This is because the data processing activity intended for time tracking results in the collection and use of sensitive data that enables the employee’s identity to be uniquely verified.
By their nature, principle decisions are understood to establish a general standard of practice not only for a specific dispute, but also for data processing activities of the same type. For this reason, the decision is a compliance issue requiring employers to review their existing systems and human resources processes.
Why Is Biometric Data Protected More Strictly?
Under Law No. 6698 on the Protection of Personal Data (KVKK), biometric data falls within the category of special categories of personal data. Special categories of data are categories of data that may lead to more serious consequences for the data subject if disclosed or processed unlawfully.
The key feature that distinguishes biometric data from other personnel data is that it can identify a person uniquely through their physical or behavioral characteristics. Data such as fingerprints or facial geometry differs from a changeable password or card number; if unlawfully disseminated once, it may create risks that are difficult to remedy.
For this reason, if an employer’s administrative need, such as time tracking, can be met through lighter and less intrusive methods, the processing of biometric data becomes problematic in terms of the principle of proportionality. In personal data protection law, it is not enough for the purpose to be legitimate; the means chosen must also be necessary, suitable, and proportionate.
Is Explicit Consent a Sufficient Basis for Time Tracking?
In practice, employers often attempt to legitimize biometric systems through explicit consent forms obtained from employees. However, explicit consent is not an unlimited tool that makes a data processing activity lawful in all circumstances.
In employment relationships, there is a structural imbalance of power between the employee and the employer. For this reason, whether the employee’s consent is genuinely based on free will must be assessed separately. In a setting where working is not practically possible without time records being kept, the employee may be concerned about facing negative consequences if they do not give consent.
In addition, even where explicit consent exists, the general principles under the KVKK continue to apply. In particular, a separate assessment must be made in terms of the following principles:
- The data processing activity must be based on specific, explicit, and legitimate purposes.
- The data processed must be relevant, limited, and proportionate to the purpose.
- If less intrusive alternatives exist, priority should be given to those methods.
- The necessary administrative and technical measures must be taken for special categories of data.
In light of the KVK Kurulu’s Principle Decision No. 2026/921, relying on explicit consent for the processing of biometric data for time tracking purposes will not provide employers with a safe compliance basis.
Which Methods Can Employers Use for Time Tracking?
Conducting time tracking is not unlawful; the risk of unlawfulness arises from the method chosen for such tracking processing the employee’s biometric data. Employers should prefer methods that process less data to achieve the same purpose and create a lower privacy impact on employees.
Alternatives that may be considered in practice include:
- Personnel card or magnetic card systems,
- Digital recording systems accessed with a username and password,
- Turnstile cards or contactless access cards,
- Traditional attendance sheets such as signature sheets,
- Electronic timekeeping software suitable for the nature of the work.
These methods must also be designed in compliance with the KVKK. For example, in a card-based system, it should be determined who may view employees’ entry and exit records, how long they will be retained, and for what purposes they will be used. The fact that biometric data is not being processed does not eliminate the data controller’s other obligations under the KVKK.
What Should Workplaces Currently Using Biometric Systems Do?
Employers that currently conduct time tracking through fingerprint, facial recognition, or similar biometric systems should carry out a compliance assessment without delay. This assessment is not limited to a technical system change; human resources procedures, privacy notices, the data inventory, and retention-destruction processes should also be reviewed.
The priority steps may be listed as follows:
- All systems used for time tracking should be identified.
- It should be technically examined whether biometric data is processed in these systems.
- If biometric data is processed, a transition plan to alternative methods should be prepared.
- The retention and destruction processes for existing biometric data should be assessed.
- Privacy notices for employees and internal policy documents should be updated.
In this process, data controllers must assess legal risks not only with respect to their practices after the date of publication of the decision, but also in relation to biometric data collected previously. Where necessary, it is important to operate destruction procedures and update records.
Employees’ Rights and Application Mechanisms
Employees have the right to learn for what purpose their personal data is processed, with whom it is shared, how long it is retained, and the legal basis for processing. An employee working in a workplace where biometric data is processed may apply to the data controller and request information about the data processing activity concerning them.
In addition, the employee may request the deletion or destruction of data that they believe has been processed unlawfully. The data controller must respond to the application in accordance with the procedure prescribed by the legislation. If the application is rejected, not answered within the prescribed period, or the response given is considered insufficient, the possibility of applying to the Board may arise within the framework of the relevant legislation.
What Does This Mean in Practice?
The KVK Kurulu’s Principle Decision No. 2026/921 has clarified employers’ compliance approach regarding the use of biometric systems in time tracking. Employers are expected to meet their work organization needs without processing employees’ special categories of personal data.
- Biometric data should not be used for time tracking.
- Explicit consent should not be viewed as a safe legal basis on its own for such practices.
- Employers should consider less intrusive alternatives such as cards, passwords, and timekeeping software.
- Existing biometric systems should be re-examined together with the data inventory and destruction processes.
- Employees’ rights to information, deletion, and application under the KVKK should be observed.