Workplace CCTV and KVKK: A 2026 Compliance Guide for Türkiye

On 8 June 2026, Türkiye’s Personal Data Protection Authority (KVKK — the regulator that enforces Law No. 6698, the Turkish equivalent of the GDPR) published guidance on the use of security cameras in workplaces. The message is direct: installing cameras is not banned, but where they point, what they capture and who watches the footage are now things you can be audited on. Systems set up years ago on a “just stick a camera by the door” logic now carry real administrative-fine risk.

As someone who builds the technical side of these systems, I can tell you the hardware is rarely the problem. The problem is who has access to the recorder, how long footage is kept, and whether employees were ever told. Exactly the points the regulator flagged.

Is using cameras at work a KVKK violation?

No. Security, occupational health and safety, or meeting a legal obligation can all be valid grounds for processing under Article 5 of Law No. 6698. Watching the entrance, the warehouse or the cash area against theft is legitimate.

What is not legitimate is using a camera as a general surveillance tool. The guidance is explicit: monitoring employee performance, measuring productivity, or maintaining vague “control” are not accepted as lawful purposes. Pointing a camera at someone’s desk to check how hard they work counts as a direct breach.

Where can cameras go — and where can’t they?

This is the most concrete part of the guidance. The proportionality principle in Article 4 limits camera coverage.

Permitted areas	Prohibited areas
Entry and exit points	Toilets
Warehouses and storage	Changing rooms
Cash and valuables zones	Prayer / rest areas
High-risk passageways	Desks under constant monitoring

The Authority also stresses avoiding wide-angle or face-focused recording that captures the entire workplace. The “one fisheye camera that sees everything” approach fails the proportionality test.

What does the 8 June 2026 guidance actually require?

A few points stand out:

• No audio recording. Cameras with microphones are considered overly intrusive into private life; if video is enough, adding sound is disproportionate.
• Extreme caution with biometrics. Face recognition and fingerprints are special-category data and face far stricter conditions. The Authority’s 2022/797 decision found face recognition at building entry unlawful — that line still holds.
• Notice is mandatory. Employees and visitors must know the area is recorded (Article 10). Not just a small sign by the door, but a notice that answers who records, why, and for how long.
• Shortest retention plus auto-deletion. Footage should not be kept “just in case” for months. The system needs an automatic overwrite mechanism.
• Access only for authorised staff. It must be clear who views recordings; an access matrix should exist, and footage must not be shared arbitrarily.

What needs fixing on the technical side?

Most of compliance is actually setup and configuration work. The items we look at in practice:

1. Retention policy. Most firms leave the NVR/DVR on factory settings, recording until the disk fills. Instead, set a defined period and enable automatic overwrite. A few weeks suffices for most workplaces; longer only with a legal reason.
2. Access control and logging. Replace the single shared “admin” password with per-user permissions and a record of who watched what and when.
3. Network segmentation and encryption. Put cameras on a separate VLAN and place remote access behind a VPN. An internet-exposed camera with a default password is still the most common weakness.
4. Notice and policy documents. Sign + KVKK notice text + internal camera policy. Without these three, technical measures alone are not enough.

What are the fines if you don’t comply?

KVKK assesses violations under Article 18. The administrative-fine bands applied in 2026 (revaluation-adjusted) are:

Violation type	2026 fine range
Breach of notice obligation (Art. 10)	TRY 85,437 – TRY 1,709,200
Breach of data security measures (Art. 12)	TRY 256,357 – approx. TRY 17.1 million

Camera systems most often get fined under “data security,” because an open password, unlimited access and footage with no retention limit are direct Article 12 breaches. The upper band explains why this is a management issue, not a hardware one.

Frequently asked questions

Do I have to tell employees? Yes. The notice obligation (Art. 10) is non-negotiable; hidden cameras are unlawful in almost every case.

How long can I keep recordings? The shortest period needed for the purpose. The Authority gives no fixed day count but rejects the “just in case” logic. If no legal dispute has arisen, keep it short.

Can I use cameras with audio? The Authority considers audio disproportionate; in practice, avoid it.

Can I watch the workplace from my phone at home? Fine if the viewer is authorised and access is secure (VPN, encrypted connection). The problem is when that access is internet-exposed and unlogged.

If you would like us to review the KVKK side of your camera system end to end — from hardware and network setup to retention policy and notice text — get in touch. We inspect your current setup and hand you a concrete list of the measures you are missing.

---

Sources: KVKK, “Public Announcement on Matters to Consider in the Use of Security Camera Systems in Workplaces” (8 June 2026); Law No. 6698 Articles 4, 5, 10, 12, 18; KVKK Board decision 2022/797 dated 04/08/2022.