Biometric Attendance Tracking Is Now Unlawful in Türkiye: Inside KVKK Principle Decision 2026/921

The bottom line

On 29 April 2026 the Personal Data Protection Board adopted Principle Decision No. 2026/921, published in the Official Gazette on 2 June 2026 (No. 33268). Its message to employers is blunt: collecting employees’ fingerprints, faces or iris scans to track working hours is unlawful — and, critically, it stays unlawful even where the employee has given explicit consent. Attendance must instead be recorded through less intrusive means such as encrypted card or PIN systems, signature and paper sheets, RFID/NFC badges, or supervised manual entry.

Because this is a principle decision (ilke kararı) under Article 15/6 of the Personal Data Protection Law (KVKK), it applies generally, takes effect immediately without any secondary legislation, and will be the direct reference point in future audits.

Why “we got their consent” no longer works

Biometric data — fingerprints, facial and hand geometry, iris and retina patterns, and even behavioural signals such as voice or keystroke dynamics — is a special category of personal data under Article 6 of the KVKK. It is sensitive and, unlike a password, irreversible: a leaked fingerprint cannot be reset. Processing it is prohibited unless one of the narrow grounds in Article 6/3 applies.

In practice, employers have leaned almost entirely on ground (a) — explicit consent. The Board rejects that as a stand-alone basis for two reasons. First, explicit consent must be freely given (Article 3). In the employment relationship there is a structural power imbalance: an employee who is not genuinely free to refuse, or to withdraw consent later without fear of consequences, has not made a free choice. Second, consent is revocable by nature — and a system whose lawfulness can evaporate the moment one employee says “no” is not a sustainable legal foundation for a company-wide time-clock.

There is no law that requires biometrics

Could another ground rescue the practice? Labour Law No. 4857 does require employers to track and document working hours — Article 63 (working time), Article 67 (announcing daily start, end and break times) and Article 75 (personnel files), reinforced by Article 9 of the Working Time Regulation, which obliges employers to document hours “by appropriate means.” But “appropriate means” is not “biometric means.” No statute mandates — or even expressly authorises — fingerprint or facial recognition for attendance. So ground (b), “expressly provided for by law,” cannot apply, and the Board confirms that none of the remaining grounds (c)–(g) fit either.

Proportionality is the test biometrics cannot pass

Even assuming valid consent, the Board’s second — and decisive — point is that the general principles in Article 4 apply independently. Personal data must be processed in a way that is “relevant, limited and proportionate” to its purpose. Proportionality here has three layers: is the method suitable for the purpose; is it necessary (have less intrusive alternatives been exhausted); and is the intrusion proportionate to the aim? Attendance tracking is a limited administrative goal. Where encrypted cards, PINs, paper sheets, RFID/NFC badges and supervised manual entry can all achieve it, capturing irreversible biometric identifiers is simply not necessary — and so it fails proportionality. The availability of those alternatives is, in the Board’s words, proof that biometric processing is not compulsory. Consent cannot cure a measure that is disproportionate in the first place.

A settled line, not a surprise

The decision crystallises a position the Turkish courts had already reached. In its 10 March 2022 plenary judgment (application no. 2018/11988), the Constitutional Court held that fingerprint-based attendance for a public employee interfered with the right to the protection of personal data and failed the legality test, because no clear, specific and foreseeable law authorised it. The Council of State reached a parallel result on palm-vein scanning: its 12th Chamber decision (2021/3870 E., 2023/2548 K.) was upheld by the Plenary of the Administrative Law Chambers (2024/225 E., 2024/2625 K.), which — echoing the Board’s own 1 December 2020 decision (2020/915) — stressed that data not necessary for the purpose should not be processed at all. The Board has now turned that case law into a general, enforceable rule.

An important nuance: this is about attendance

Read the decision carefully. It targets biometric processing for attendance tracking. It does not declare every workplace use of biometrics unlawful per se. A genuine high-security access scenario may rest on a different analysis — but it needs its own Article 6 ground and its own proportionality assessment. “We already have a fingerprint reader on the secure door” is not a shortcut for using it to clock people in and out. Each purpose stands or falls on its own.

What employers should do now

• Audit every biometric attendance system across sites, vendors and HR/access-control software.
• Switch to a compliant alternative — encrypted card/PIN, RFID/NFC badges, signature or paper sheets, or supervised manual entry.
• Erase the templates. Changing the clock-in method is not enough; stored biometric templates and logs must be deleted, and the deletion documented.
• Update your records. Revise VERBIS entries and employee privacy notices to remove the biometric processing.
• Document the measures. These steps are technical and administrative measures under Article 12/1; non-compliance can trigger an ex officio investigation and administrative fines under Article 18.

The Vircon take

None of this came as a surprise to us. We have told clients for years that consent-based biometric attendance was built on sand, and it has long been a priority item on our data-protection audit checklist — one we flagged in review after review. In practice, that meant consistently pushing clients to migrate their PDKS (employee attendance) systems off fingerprint and face recognition and onto proportionate, non-biometric methods. The Board has now confirmed, in binding terms, the position we have been advising all along.

For groups already aligned with the EU’s GDPR — where regulators have long rejected biometric time-clocks — this is a marginal adjustment. For everyone else, it is a clear signal that consent-based biometric HR design in Türkiye has reached the end of the road. The smart move is not to look for a cleverer consent form; it is to redesign attendance around proportionate, reversible methods and to keep biometrics for the rare cases where they are genuinely necessary and defensible. If you operate biometric attendance in Türkiye, the time to move is now.

This article is for general information and is not legal advice. For a tailored assessment of your attendance systems, talk to our team.