On April 19, 2022 the decision (“Decision”) of the Constitutional Court (“CC”) dated March 10, 2022, to the application with the Registration No. 2018/11988 on the violation of the right to personal data protection by the work shift follow-up with the help of fingerprint was published in the Official Gazette.
- What is The Content of The Application?
The Application concerning the registration of fingerprint and the follow-up of work shifts with the help of a Fingerprint Registration System by the applicant, who works in a public institution which utilizes the fingerprint technology for the follow-up of entrance and exit in the context of work shifts, was rejected by the respective public institution. Followed by the rejection by the public institution, a lawsuit was initiated for the annulment of this administrative act which was later accepted by the court. Despite the acceptance of the lawsuit, the case was brought to the Court of Appeals by the public institution and the Court of Appeals finally decided on the dismissal of the charges.
Following this decision, an Individual Application was made on February 5, 2018 by the Applicant to the Constitutional Court.
- What are the Matters included in the Decision?
Following the Individual Appeal to the Constitutional Court made by the Applicant:
- It has been stated that the fingerprint solely belonging to a person which contains physiologic information enabling the definition of a person’s identity falls into the category of biometric personal data within sensitive personal data catalogue;
- It has been stated that the conditions for the processing of sensitive personal data are determined in Article 6 of the Personal Date Protection Law (“the Law no.6698”) and that explicit consent would be required for such processing; and that in the referred provision there is no exception suggesting that personal data can be processed without explicit consent in the context of work shift follow-up;
- Within this scope, it has been indicated that in this case the fingerprints falling into sensitive private data of employees of the municipality can only be registered and utilized if there is a specific legislative provision or the explicit consent of the employee;
- It has been stated that for the registration of biometric data based on explicit consent, the principle of legality within the framework of Article 13 of the Constitution should be met and that for the acceptance of the presence of explicit consent; the employee shall be informed about the scope, purpose, limits, and outcomes of the data to be processed, there shall be a legitimate purpose, there shall be no other way of realizing the legitimate purpose involving fewer interference and the processing of personal data shall be limited to the purpose,
- Nonetheless, it has been stated that the sole presence of explicit consent would not make any act lawful, in other words, explicit consent may only be used if there is no other method involving fewer interference with rights and liberties and it is limited to the purpose according to the principle of proportionality. In that regard, the constitutional guarantees protecting the rights and liberties of the employee shall be complied by the administration in the utilization of methods of data processing and sharing in the work place.
- It has been found that, the employee did not give explicit consent to the registration for the use of his fingerprint for the purpose of work shift follow-up. Thus the processing of its sensitive private data violates his right to personal data protection. Besides, neither the Law No. 657 nor the Law No. 5393, contains any provision enables the processing of sensitive personal data in the context of biometric data based tracking systems aiming at work shift follow-up and the supervision of the employee without explicit consent of the data subject.
- The Constitutional Court found, under the consideration of the facts of the case that the intervention subject to the application did not meet the criterion of legality and that therefore there was no need to further examine whether the other standards of guarantee were abided by.
Under the consideration of the abovementioned findings, the Constitutional Court decided that the right to personal data protection within the right to respect to privacy under Article 20 of the Constitution was violated.
Tunca Attorney Partnership