09 February 2021
Achilles Tendon of Personal Data Protection: Staff Files
Keeping staff files is an obligation regulated in the Labor Law and administrative fines are determined for the breach of this obligation. However, the content of the staff files is not arranged in a consolidated or strictly specified in a numerus clausus manner under the relevant legislation. Therefore, in habitual human resources practices, the content of the staff files is kept as wide as possible. This habit originating from practice has various drawbacks and risks with respect to the Personal Data Protection Law ("KVK").
Employee Consent in Data Processing
Within the scope of the principles under the KVK, personal data pertaining to the employees may be processed without the consent of the data subject if it is processed for "establishing and maintaining a contract" or "within the framework of the legitimate interests of the data controller". Rightfully, many workplaces obtain the explicit consent of employees for any personal data processed.
However, as per the principle of data minimization, even if explicit consent has been obtained, personal data should be processed in a proportionate and compatible manner with its purpose. Documents and information containing personal data that exceed both the reasons for the data processing set out by the law and the purposes specified in the privacy notice shall entail a risk in the context of the KVK. It should be noted that data controllers must prove that each piece of personal data they process is processed in a proportionate manner for processing purposes.
Remain Protected: Less and Current Data
The simplest manner to mitigate data related risks is to not keep any data that is not mandatory with respect to the activities or legal obligations of the related organisation. In addition, it has been regulated under the KVK that the retained personal data needs to be current and correct. In this respect, it is important to determine the procedures regarding how often the employee data will be updated.
Key Point in Risk Reduction: Disposal
Since some data in the staff file will serve as evidence in case of any dispute with the employee, staff files pertaining to the respective employees are required to be kept for the duration of the employment relationship. After the termination of the employment relationship, certain data is required to be stored for a period of 5, 10 or 15 years as per tax, social security and occupational safety legislation, respectively. The implementation of periodic disposal processes should be evaluated for data other than these.
The care shown in terms of the data obtained after the employment relationship established should also be shown in the recruitment processes. Since there is no employment relationship between the parties in the recruitment process, personal data may only be processed with the consent of the candidates. In this regard, the process of disposal of personal data obtained in the recruitment process such as résumés and interview forms should be kept for a relatively short period of time. If a database is to be created for the purpose of use in future recruitment processes, the candidate must be informed, and explicit consent must be acquired.
Responsibility of Human Resources Professionals
The KVK regulates that the data controller shall be subject to administrative sanctions if personal data is processed in an incompliant manner. However, an employer may claim compensation from employees who process data in manner which constitutes a breach of their legal responsibilities. In addition, imprisonment up to 8 years has been stipulated under the Turkish Criminal Code for actions which constitute unlawful obtaining, recording and sharing of personal data.
Developing personal data processing principles and policies in consideration of human resources practices is vital for both human resources professionals and employers. It is possible to significantly reduce legal and criminal liabilities by decreasing the scope of staff files, collecting personal data in a compliant manner, providing clarifications to data subjects, obtaining explicit consents when necessary and setting policies for periodic disposal of the personal data.