In its decision dated August 10, 2023 w. no 2023/1356, the Turkish Personal Data Protection Board (“Board”) evaluated a complaint regarding an employer that submitted the camera footage of its employee praying in a masjid in a reinstatement lawsuit.

In summary, the employee (“Data Subject”) argued that the employer (“Data Controller”) recorded the footage of the Data Subject praying in a masjid without obtaining their explicit consent and without providing information regarding processing of their personal data, which is considered as a special category of data within the scope of the Personal Data Protection Law No. 6698 (“DPL”). The Data Subject further claimed that they were forced to sign an explicit consent form regarding the retrospective processing of their personal data by writing the date of employment, for fear of being dismissed and that this consent did not reflect their free will.

On the other hand, in its defense, the Data Controller stated that camera footage subject to the complaint was processed for security purposes at the workplace, as the workplace was classified as “very dangerous” in terms of occupational health and safety due to its production activity. In this regard, the employees were informed about the recording through visitor safety sign and camera warning signs at the entrance of the Data Controller’s workplace. Moreover, the Data Controller emphasized that the employees were informed regarding (i) the camera footage is processed due to physical place safety, (ii) the purposes of such processing, (iii) to whom and for what purpose the data may be transferred, (iv) the methods of data collection and (v) the rights of the data subjects. Accordingly, the Data Controller stated that the video footage is processed with the purpose of physical place safety data to track any incident that may occur in the masjid, which is a part of the workplace. However, the Data Controller further argued that its employees’ special categories of data, i.e. personal data regarding religion, sects and other beliefs, are not processed and thus, explicit consent of the employees were not obtained.

In this regard, the Board primarily evaluated and decided that as the Data Controller’s processing of the video footage inside the place of worship is a data processing related to the religious belief of the Data Subject, the video footage falls within the scope of special categories of personal data and explicit consent of the Data Subject must have been obtained. Furthermore, the Board underlined that camera surveillance of a place of worship would not be lawful data processing as the employees would have a reasonable expectation of privacy in terms of changing rooms, toilets, showers, prayer rooms, rest rooms and breastfeeding rooms; and that the masjid does not have any characteristics that would oblige it to be monitored with regards to the working area of the Data Controller.

The Board further referred to the Guidelines on Explicit Consent and underlined that explicit consent is a declaration of consent given by the data subject (i) freely, (ii) with sufficient information on the subject matter, (iii) in a clear manner that leaves no room for hesitation and (iv) limited. Accordingly, the Guidelines on Explicit Consent highlights that in an employment relationship where there is a power imbalance and one party has influence over the other, and the employee is not given the opportunity to effectively withhold consent, the explicit consent obtained from the employee will not be considered as freely given consent.

Accordingly, the Board decided to impose an administrative fine of TRY 300,000 (approx. EUR 9,148) on the Data Controller due to:

  • The failure of the Data Controller to process data within the scope of data processing conditions under the DPL as the explicit consent obtained from the Data Subject was based on the fear of dismissal and thus the Data Subject did not provide their explicit consent for the process of their special categories of data,
  • Even if the explicit consent was obtained from the Data Subject, the Data Controller did not act in compliance with the principles regulated under the DPL, namely, being relevant, limited and proportionate to the purposes for which the data is processed and thus, did not take all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of personal data.

Authors: Burak Özdağıstanli, Sümeyye Uçar, Begüm Alara Şahinkaya