AC
Anasayfa Makaleler KVKK and Data Protection Law

Biometric Data (Fingerprint/Face Recognition): KVKK Framework

25 Şubat 2026 KVKK and Data Protection Law 2 dk okuma 12 görüntülenme Son güncelleme: 8 Mayıs 2026

Biometric data such as fingerprint, retina/iris scan, face recognition, voice recording are considered "personal data of special nature" within the scope of KVKK Article 6 and are subject to special regime.

  • KVKK article 6: Special data - processing conditions different from general data.
  • KVKK article 6/2: As a rule, explicit consent for processing.
  • Exceptions: provided for by law, vital interest, public health, etc.
  • Adequate security measures requirement.

Biometric System in the Workplace — Limits

  • The mandatory request for fingerprint for time tracking is disproportionate; If there are alternative methods (card, PIN), the request for biometric data is considered disproportionate interference with personal data.
  • Even if explicit consent is obtained, if it is made a condition of employment, the consent is invalid (no real free will).
  • "Data need proportionality" test: the method of least intervention should be chosen to achieve the goal.

Board Decisions

The Personal Data Protection Board has made decisions that it generally finds disproportionate to tracking work hours with fingerprints, even if "explicit consent" has been obtained, and that the employee's will is not truly free. Alternative methods should be suggested.

Face Recognition Systems

  • Face recognition at workplace entrances — again an alternative requirement.
  • Clarification text is not sufficient for shopping mall, bank and airport applications; special KVKK audit.
  • Face recognition cameras on the street — special legislation within the framework of public safety.

Obligations of the Data Controller

  • Explicit consent document (for special qualifications).
  • Information text (KVKK article 10).
  • VERBIS record.
  • Security measures (encryption, access logs).
  • Notification within 72 hours in case of violation (KVKK article 12/5).
  • Response to the rights of the data owner (KVKK article 11).

Sanctions

  • Administrative fine: 100,000 - 5,000,000 TL band (updated annually).
  • Material and moral compensation (TBK art. 49, 56).
  • TCK art.135-136 (unlawful processing/dissemination of personal data).

Practical Advice — For the Employer

  • Prefer alternative methods (card, PIN, mobile).
  • If biometric is required: strict explicit consent process + special security measure.
  • VERBIS record and record inventory should be kept up to date.
  • Information + explicit consent documents are separate.

    • Employee Rights

    • The right not to give explicit consent.
    • Withdrawing the given consent (KVKK article 11/1-c).
    • Data deletion request (KVKK article 11/1-e).
    • Complaint to the institution (KVKK article 13).

    Biometric data lawsuits are increasing; KVKK and labor law lawyer should evaluate together.

    Telif bildirimi This content and all related Q&A texts are protected under Turkish Copyright Law No. 5846. Unauthorized copying, reproduction, publication, adaptation, bulk extraction, or commercial use is prohibited; legal and criminal remedies are reserved in case of infringement.

    Hukuki destek arıyorsanız

    Bu konuda profesyonel hukuki destek için Aycan Ceylan Avukatlık Bürosu olarak yanınızdayız.

    Görüşme Planla