Follow us :
KVKK & Compliance

Türkiye's KVKK Ruling: Is Fingerprint and Face-Scan Attendance Over?

The fingerprint reader at the office door has been there for years. Everyone presses a thumb in the morning, the system logs the time, nobody thinks twice about it. A board decision published in Türkiye’s Official Gazette (Resmî Gazete) on 2 June 2026 took direct aim at that habit.

Decision 2026/921, dated 29 April 2026, from the Turkish Personal Data Protection Board (KVKK — the authority that enforces Law No. 6698, Türkiye’s equivalent of the GDPR) is unambiguous: processing biometric data such as fingerprints, facial recognition, iris or retina scans for workplace time-and-attendance is unlawful even if the employee has given explicit consent. The old defence — “we collected consent forms, so we’re fine” — no longer holds.

The Board’s reasoning rests on the nature of the employer–employee relationship. An employee who could lose their job doesn’t have a genuine freedom to say “no” to a system the employer installed. The Board puts it plainly: in this relationship, you cannot assume consent is based on free will. Consent is also revocable at any moment — the day an employee withdraws it, the biometric system has to stop working for that person, which undermines the whole point of the system.

The second pillar is proportionality. The logic is simple: if you can achieve the same result with a less intrusive method, reaching for the most sensitive category of data is disproportionate. Under KVKK, biometric data is a “special category” — the highest protection tier. When a card swipe already records who walked through the door, keeping everyone’s fingerprint in a database has no reasonable justification.

What to do now: the compliant alternatives

The Board named the alternatives directly. Ways to keep tracking attendance lawfully:

MethodHow it worksNote
Encrypted card / PINStaff swipe a card or enter a codeMost common migration path
RFID / NFC ID cardContactless card readCan ride on the existing staff badge
Mobile appCheck-in by location or QR from a phonePractical for field teams
Signature / paper sheetClassic attendance registerStill valid for small teams

What these share: they verify identity without taking anything permanent from a person’s body. Lose a card and you print a new one; have your fingerprint stolen and you can’t change it. That’s the heart of the difference.

Is biometric data now banned outright?

No — the ruling isn’t an absolute ban. Scenarios where biometrics are genuinely necessary and proportionate, and where no lighter method actually works, are judged on their own terms — physical access control to a high-security lab or data centre, for example. But routine attendance tracking doesn’t fall under that exception, because logging clock-in times has plenty of lighter options: card, PIN, mobile. The critical distinction is purpose: securing access to a sensitive area is one thing, recording daily start-and-finish times is another.

What happens if you don’t comply

An employer who keeps a biometric attendance system running faces an administrative fine under Article 18 of the Law. The violation is treated as a breach of data-security obligations; the 2026 figures, updated by the annual revaluation, start in the hundreds of thousands of lira and can climb into the millions for serious breaches. Because the penalty table is revised every year, it’s worth confirming the current amounts on kvkk.gov.tr. Beyond the fine, you now hold a biometric database you’re required to delete — switching the system off isn’t enough on its own; you also have to dispose of the collected records properly.

FAQ

What do we do with the fingerprint records we already hold? If they were collected for attendance, the legal basis is gone and they must be destroyed. Log the deletion, physical destruction or anonymisation.

If every employee consents, is that enough? No. That’s exactly the point of the decision: in an employment relationship, explicit consent alone is not a valid legal basis.

We installed a face-recognition turnstile last month. Do we have to remove it? If you use it for attendance and entry tracking, you’re expected to move to a compliant alternative. How new the investment is doesn’t change the ruling.

We use cloud-based attendance software — does liability sit with the vendor? You are the data controller. Regardless of who supplies the software, you answer for what data you process and why.

Swapping a fingerprint reader for a card system is a few days’ technical work. The real task is to look again at which employee data you keep and why. Attendance is a small part of the picture for most businesses; camera footage, personnel files and candidate CVs should pass the same proportionality test.

If you want help moving a biometric system onto a compliant method, or reviewing your KVKK posture from the ground up, get in touch.

Sources

Share this post
Türkçe oku

Related Posts