in Legal Success
| Reading Time: 12 Minutes
Monitoring The Worker With Electronic Methods at The Workplace in Turkey
The fabric of our age, kneaded with technology, has affected not only every aspect of our daily lives but also our business life. Computers, e-mails, and smartphones have become inevitable parts of observation and control mechanisms in workplaces, while the legal aspects of this situation are gaining importance. On the one hand, employers resort to electronic monitoring methods to increase efficiency at work and regulate work processes; on the other hand, issues such as the privacy of employees’ private lives and the protection of their personal data are coming to the fore. In this complex field, our article titled “Monitoring Workers in the Workplace with Electronic Methods” examines how the Law follows a path as a balancing element.
What Are The Criteria to Be Considered in Workplace Surveillance?
What Are The Principles to be Followed During Workplace Surveillance?
The rules to be followed during surveillance at the workplace are mainly based on the Personal Data Protection Law (PDPL (or KVKK in Turkish)). In addition to KVKK, regulations related to employees’ personal data are found in Article 419 of the Turkish Code of Obligations (TCO (or TBK in Turkish)) and Article 75 of the Labor Law.
Paragraph 1 of Article 419 of the Turkish Code of Obligations;
“The employer can use personal data of the employee only to the extent that it is related to the employee’s suitability for the job or necessary for the performance of the employment contract.“
Provision and Article 75 of the Labor Law;
“The employer arranges a personal file for each employee he/she employs. The employer must keep all kinds of documents and records that he/she is obliged to arrange in this file under this Law and other laws and show them to the authorized officers and authorities when requested. The employer is obliged to use the information obtained about the employee according to the rules of honesty and law and not to disclose information in which the employee has a legitimate interest in keeping it confidential.“
When taken into consideration, the legislator has made a broad regulation here, speaking not of the processing of personal data but only of the use of this data. However, with the regulation brought by the Personal Data Protection Law, the regulation in the Turkish legislation regarding the processing of employee data in the workplace has been more firmly established.
The Personal Data Protection Law and the European Court of Human Rights (ECHR) decisions stand out as more comprehensive sources in determining the criteria to be considered in evaluating the legality of electronic surveillance to be made to the employee in the workplace than TBK Article 419 and Labor Law Article 75.
The ECHR has granted discretion to the state in the regulations made regarding the employer’s monitoring of the worker; however, it has underlined that this authority must be limited (ECHR Grand Chamber, Barbulescu v. Romania Case Decision (Application No: 61496-08), September 5, 2017, para. 120). In one of its latest decisions, it has determined the criteria to be evaluated in ensuring proportionality, which can prevent possible arbitrary practices by states. The text of the decision is as follows;
Criteria mentioned in paragraphs 121 and 122 of the Barbulescu v. Romania case decision;
- The employer’s measure must be notified in advance, and the form of monitoring must be clearly stated to comply with Article 8 of the European Convention on Human Rights (ECHR).
- In determining the scope of the employer’s monitoring and the degree of invasion of privacy, spatial and temporal limits, the number of people accessing the data, how much of the communication is monitored, and whether or not the content is also monitored, should be taken into account.
- Legitimate reasons that justify the monitoring must be found. If access has also been made to the content of the data, these reasons must be more serious.
- It must be evaluated whether or not there are methods that invade privacy less.
- Whether the obtained data is used for the previously targeted purpose or not.
- Security must be provided to the worker in cases where the employer conducts monitoring that may invade the right to privacy. This security includes the employer not being able to access the real content of the data without prior notification to the worker.
- Finally, a worker whose communication has been monitored should be able to apply to the judiciary.
Principle of Compliance With The Law and Honesty
Compliance with legislation means compliance with the Law. In interpreting the rule of honesty, it is necessary to rely on reasonable expectations related to the worker’s monitoring. While the ECHR attaches importance to this criterion, it argues that it is a criterion that will not lead to a final result in the case.
Accordingly, the interpretation of the principle of honesty should be based on the worker within the scope of the ECHR, and action should be taken according to the worker’s reasonable expectation (Case of Halford v. The United Kingdom, para. 45; Case of Antovic and Mirkovic v. Montenegro, para. 43; Case of Lopez Ribalda and Others v. Spain, para: 57, Case of Barbulescu v. Romania, para. 73.).
Principle of Accuracy and Currency
Even if the employer does not provide this principle, the worker has the right to request it. According to Article 11/1-b of KVKK;
“Everyone has the right to apply to the data controller regarding themselves; b) Requesting information if personal data has been processed…”
According to this provision, the worker’s right in this regard is protected. Again, according to the same paragraph’s sub-clause d, the worker has the right to request the renewal of incorrect or incomplete stored information about themselves. If the employer does not fulfill this request, the worker will have the right to claim compensation for the damages incurred. Indeed, the employer’s processing of personal data with incorrect or incomplete information violates the Law.
Processing for Specific, Clear, and Legitimate Purposes
According to Article 5 of the Personal Data Protection Law, the purpose informed to the employee must be clear, specific, and legitimate when enlightening the employee before surveillance. Accordingly, personal data cannot be processed without the consent of the person concerned. However, the provisions specified in KVKK Article 5/2 are reserved.
Accordingly, it may be mandatory to process personal data without the explicit consent of the person concerned if Law explicitly prescribes it, if it is mandatory to protect the life or physical integrity of the person who is unable to explain their consent due to actual impossibility or whose consent is not legally valid, if it is necessary for the establishment or performance of a contract provided that it is directly related to the contract, if the processing of personal data belonging to the parties to the contract is necessary, if the data controller must fulfill their legal obligation, if this data has been made public by the person concerned themselves, if data processing is mandatory for the establishment, use, or protection of a right, and finally, if data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the related person.
Principle of Being Connected, Proportional, and Limited to The Purpose for Which They Are Processed
According to the relevant provisions of the Personal Data Protection Law, data obtained through electronic surveillance must be processed within the framework of a previously defined purpose. If the data is processed outside the predetermined purpose, this will constitute a legal violation, and the employer will be held liable for compensation to the employee.
It should also be remembered that the employment contract can be terminated based on evidence obtained on a matter outside the purpose during lawful electronic or other monitoring of the employee (Esra Yigit, “Monitoring and Surveillance of Internet and E-mail Use at the Workplace“, Istanbul University Social Sciences Institute, Private Law Master’s Thesis, 2013, p. 104).
The proportionality element refers to the fundamental element that must exist between the purpose and the method of monitoring the employee in the workplace. The employer must consider the principles of suitability, necessity, and proportionality contained within the proportionality element while monitoring the employee’s work quality, working hours, entry and exit times, etc., electronically or by other means. There must be a reasonable connection between the purpose and proportionality. According to the necessity principle, the method of monitoring that least interferes with the employee’s private life must be chosen.
In terms of suitability, electronic or other means of monitoring the employee must be done lawfully and suitably to achieve the purpose. Finally, there must be a suitable proportion between the intervention on the employee and the purpose to meet the proportionality criterion.
That is, when collecting personal data such as; camera, fingerprint, eye scanning, etc., from the employee electronically, there must be proportionality between these and the purpose of monitoring the employee. Otherwise, there will be a legal violation in the collection of the data.
The Personal Data Protection Board stated in its decision on “…the tracking of the entrance and exit of the relevant person who works as an officer in the municipality by processing biometric data within the data controller” that “processing the fingerprint, which is biometric data, for the purpose of time control within the data controller is contrary to the principle of being related, limited, and measured with the purpose under the subparagraph (c) of the 4th article titled ‘General Principles’ of the Law, on the other hand, considering that the said data processing activity is not based on a lawful data processing condition, the data controller’s said application is contrary to subparagraph (a) of paragraph (1) of the 12th article of the Law…” and evaluated that the data processing activity is not related, limited, and measured with the purpose.
What Are The Conditions For Processing Personal Data For Monitoring Employees Electronically?
Obtaining The Employee’s Consent
According to Article 5/1 of the Personal Data Protection Law (KVKK), obtaining the employee’s consent is mandatory before monitoring. Although the Law stipulates that the employee’s consent must be explicit, it does not prescribe any specific form for obtaining it.
The meaning to be derived from the consent being explicit does not imply that the consent obtained from the employee will be limitless. Instead, it indicates that the content of the consent given by the employee must be clear and understandable, and it must include all the rights and notifications arising from the Law. The employee must understand the purpose and method of electronic or other monitoring. Consent must be given based on free will, without any pressure, and there should be no defect in the will.
When obtaining the employee’s consent, according to KVKK Article 10;
“(1) During the collection of personal data, the data controller or the person authorized by him/her must inform the concerned persons; a) Identity of the data controller and, if any, its representative, b) The purpose for which personal data will be processed, c) To whom and for what purpose the processed personal data can be transferred, d) Method and legal reason of collecting personal data, e) Other rights listed in Article 11, are obligated to provide information.“
The employer is obliged to inform the employee about the purpose and content of the monitoring and to enlighten the employee about their rights. According to KVKK Article 4/2-c, the purpose of data processing can only be a purpose arising from the employment relationship.
(1) Personal data can only be processed in accordance with the procedures and principles set forth in this Law and other laws.
(2) Compliance with the following principles is mandatory in the processing of personal data:
- Compliance with the Law and rules of honesty,
- Being accurate and up-to-date when necessary,
- Processing for specific, clear, and legitimate purposes,
- Being related, limited, and proportionate to the purposes for which they are processed,
- Being preserved for the period stipulated in the relevant legislation or necessary for the purposes for which they are processed.
In the doctrine regarding the withdrawal of the employee’s consent, there are various opinions; according to the prevailing view, the employee will be able to withdraw their consent at any time. Indeed, the authority also states in the same direction that giving explicit consent is a right strictly attached to the person. In this context, the right to determine the future of personal data also belongs to the concerned person, emphasizing that the concerned person can withdraw explicit consent at any time. It is possible to say that the concerned person can withdraw explicit consent whenever they wish.
Methods of Electronically Monitoring Employees at The Workplace
Today, with the increasing demand for labor and technological advancements, monitoring workers electronically has significantly increased. Examples of monitoring methods using electronic means include monitoring telephones, capturing audio and visuals, tracking workers’ real-time location information outside the workplace using GPS, shift changes, fingerprint scanning at entry and exit times, and access control systems are frequently used methods.
As initially stated, with prior consent from the worker, smartphones and landlines can be monitored, tracked, and listened to. Landlines can be listened to through some devices. Smartphones generally have features that coincide with computer monitoring software, often marketed as child and worker monitoring software for smartphones and tablets.
“The following features can be cited as examples: Keeping and listening to call records, keeping records of incoming and outgoing SMSs and e-mails, recording social media activities, recording accessed internet sites and blocking access to desired addresses, monitoring and deleting messages containing certain keywords when necessary, warning if the worker communicates with specific people, warning if the worker goes to a certain place, accessing the address book, remotely locking the phone and deleting data, reaching the front or back camera of the worker’s phone remotely to take a picture, capturing a screenshot, keylogging (keyboard listening).“
Capturing Audio and Visuals
Cameras can have the capability of not only capturing images but also detecting sound. In some cases, only sound recording may be involved.
Regarding visual capturing systems, the existence of small-sized but more advanced devices brought by evolving technology allows employers to monitor what’s happening in the workplace in high resolution, even with a smartphone. It is worth noting that employers should avoid technologies capable of visual analysis that they think have no legal basis, as even the worker’s appearance and movement style can be recorded in a way that can be later recognized by the machine (Article 29 Data Protection Working Party, Opinion 2/2017 on Data Processing at Work, June 8, 2017, p. 19, <http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=610169>, (Online)(Accessed: 20.06.2019)).
Monitoring and Controlling Computer and Network Activities
A frequently used method for monitoring computers today is the “Keylogger” method.
A Keylogger can be software, or it can be a hardware device like a USB flash drive. It records computer activities in real-time, including the keys pressed on the keyboard. Even immediate deletion after typing does not prevent it from recording. Although it might also be used for purposes like troubleshooting, parental control, or password stealing, employers commonly use it as a control tool on workers’ computers.
Keyloggers usually record keyboard movements, but some features can be added, such as; accessing all passwords entered by the user, periodically taking screenshots, recording the addresses of visited websites and taking their pictures, keeping a list of applications run by the user, keeping records of instant messaging (Facebook, WhatsApp…), keeping records of sent e-mails, automatically sending the reports of the above to another location (Bradley Mitchell, “Why Keylogging Software Should Be on Your Radar“, <https://www.lifewire.com/definition-of-keylogger-817998>) (Online)(Accessed: 20.06.2019).
In a case heard in the German Federal Labor Court regarding the use of Keyloggers, the court found that secretly using this software was unlawful. The court required that for secret Keylogger use in the employment relationship, there must be either specific suspicion about an employee committing a crime or a serious contractual violation (BAG 2 AZR 681/16, for an English description of the decision: Henriette Picot, Benedikt Vogel, Employee monitoring by keylogger software unlawful except in case of severe suspicions, <https://www.twobirds.com/en/news/articles/2017/germany/employee-monitoring-by-keylogger-software-unlawful-except-in-case-of-severe-suspicions> (Online)(Accessed: 20.06.2019)).
It is worth emphasizing that for monitoring an employee by any means, prior consent must be obtained, the employer must inform the worker, and the monitoring must be done in a measured, proportional, appropriate, and lawful manner within the context of KVKK (Personal Data Protection Law).
Personnel Entry and Control Method
Today, in most workplaces, it is observed that workers and staff are tracked during entry and exit through methods like card scanning and fingerprint scanning. Obtaining valid consent from the worker beforehand is a requirement for applying this method. The data obtained from the worker must be stored in the workplace’s data system for a reasonable time in a manner that does not conflict with the purpose and proportionally. Storing and using this data without the worker’s consent or beyond the time the worker consents will again constitute a legal violation.
Court of Cassation Decisions
Court of Cassation 22. C.D. 2015/28830 E.
“In the workplace, employees’ personal rights can be restricted by monitoring and observing them if there is a justified reason. What constitutes a justified reason is determined according to the specific characteristics of the situation. Protecting the image of the workplace, monitoring production processes, and supervising areas and tools that are important in terms of security may justify monitoring. However, what is important here is that there should not be a reasonable expectation of privacy among the employees (ERDOGAN, age, pp. 116-117). There can be no justified reason for listening to employees’ conversations. Also, according to the file content, the plaintiff was not previously informed that their conversations were being listened to, and their consent was not obtained. Considering the nature of the workplace and the fact that the employees were not informed beforehand, it is clear that the plaintiff had a reasonable expectation of privacy regarding not being listened to. Accordingly, the defendant employer has violated the plaintiff’s personal rights by illegally listening to their conversations.”
Court of Cassation 22. C.D., E. 2017/21857 K. 2019/9884 D. 5/7/2019
“The employer can monitor and track the employee electronically as a result of their management rights. However, the employee must be informed about this monitoring. If the employee is not informed about being monitored or is monitored secretly, even if the data obtained from this monitoring clearly reveals that the employment contract has been violated by the employee, it should be considered illegal. Given this, in the specific case, it must be accepted that the information obtained by secret monitoring by the employer cannot be put forward as a reason for justified termination. The court should have concluded that the termination was not based on a justified reason and that the plaintiff had earned the right to notice compensation, whereas deciding to reject the claim with a written justification is erroneous, and the decision must be overturned for this reason.”
Nowadays, with increasing technological advancements, many various methods are available for monitoring employees. To electronically monitor the employee or through other means, as mentioned above, certain conditions must be met within the scope of the Personal Data Protection Law (KVKK).
Obtaining the employee’s consent is the first necessary condition for monitoring. In addition, the relevant articles of the KVKK also state that the monitoring of the employee must be conducted according to the principle of proportionality. Accordingly, the employer must monitor the employee in a balanced, measured, suitable, and lawful manner, in line with the purpose of monitoring. Otherwise, there will be a legal violation, and the employee will have the right to compensation for the violation of personal data.
When examining the decisions of the Court of Cassation and the ECHR, it is seen that in disputes arising from the monitoring of employees, the legal cause of compensation lawsuits is disproportionality and monitoring methods that are done without the consent of the employee or beyond the scope of the consent given.
In this case, the primary obligations of employers are to obtain the express consent of the employee regarding electronic monitoring, to conduct monitoring in a way that minimizes the violation of the employee’s private life, and to inform the employee in terms of legal rights. In contrary situations, as explained above, the right to compensation in favor of the employee will arise.
Sources & References
- ECtHR Grand Chamber, Decision of Barbulescu v. Romania (Application no: 61496-08), September 5, 2017, para. 120.
- Case of Halford v. The United Kingdom, para. 45; Case of Antovic and Mirkovic v. Montenegro, para. 43; Case of Lopez Ribalda and Others v. Spain, para: 57, Case of Barbulescu v. Romania, para. 73.
- Esra Yigit, “Monitoring and Observing Internet and E-mail Use at the Workplace“, Istanbul University Social Sciences Institute, Private Law Master’s Thesis, 2013, p. 104.
- Kuzeci, ibid, p. 223; Okur, ibid, p. 89; quoted from: Canan Erdogan, “Monitoring and Observing Employees Within the Scope of Personal Rights“, Yildirim Beyazit University Social Sciences Institute, Private Law Master’s Thesis, 2014, p. 80.
- Okur, ibid, p. 87.
- Article 29 Data Protection Working Party, Opinion 2/2017 on Data Processing at Work, June 8, 2017, p. 19.
- <http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=610169> (Online)(Accessed: 20.06.2019).
- <http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=610169> (Online)(Accessed: 20.06.2019).
- <https://www.lifewire.com/definition-of-keylogger-817998> (Online)(Accessed: 20.06.2019).