Protection and Processing of Personal Data in Employee Personnel Files within the Scope of the Personal Data Protection Law (KVKK)

The fundamental regulation regarding employee personnel files is found in Article 75 of the Labor Law No. 4857; it imposes on the employer the obligation to create and maintain personnel files containing information and documents belonging to their employees. According to Article 104 of the same law, failure to comply with this obligation results in administrative fines against the employer. Personnel files, which consist of many personal data such as identity, education, health status, military service information, and residence, are also protected by the Personal Data Protection Law (KVKK). The KVKK obligates the employer to process only the data required for the job and to store this data in secure environments; data processing activities that violate the procedures and principles stipulated in the Law result in a personal data breach. In this context, processing personal data in personnel files in accordance with the KVKK is of great importance. This issue is discussed below under various headings.

Processing, Storage, and Destruction of Personal Data in Employee Personnel Files

Data contained in personnel files may only be processed in accordance with Article 4 of the KVKK (Law on Protection of Personal Data), in a manner that is lawful, fair, and consistent with specific, explicit, and legitimate purposes. Employers must limit data collection activities to information relevant to the job requirements and process data in a manner that is relevant to the purpose, proportionate, and limited. Data in personnel files must be protected in a secure environment and accessible only to authorized persons.

On the other hand, according to Article 7 of the Personal Data Protection Law (KVKK), employers are obliged to destroy data whose retention period has expired or for which the reasons requiring processing have ceased to exist. Within the scope of the "Regulation on the Deletion, Destruction or Anonymization of Personal Data" and the Personal Data Protection Authority's Personal Data Storage and Destruction Policy; data that has lost its function after the expiration of the maximum period justifying the retention of personal data following the termination of the employment contract must be deleted, destroyed, or anonymized in accordance with the principles determined in the regulation. While storing personnel files in locked cabinets is a common method in practice, according to the Personal Data Security Guide, keeping them in secure environments accessible only to authorized persons when needed is also considered sufficient.

Protection and Processing of Health Data

Health data is considered special categories of personal data under Article 6 of the Personal Data Protection Law (KVKK). With the amendments that came into effect on June 1, 2024, with Law No. 7499, explicit consent is no longer the sole mandatory requirement for processing this data; new legal grounds for processing, such as fulfilling legal obligations in the areas of employment, occupational health and safety, and social security, have been added to the legislation. However, the requirement that health data, including pre-employment and periodic examinations, be collected only by the workplace physician or authorized health personnel remains in effect. Indeed, decisions of the Personal Data Protection Board confirm that workplace physicians can process health data within the framework of their confidentiality obligations.

The employer is obligated to consider the health and safety risks to which the employee may be exposed. Occupational health examinations are conducted by the workplace physician at the start of employment, upon job changes, upon request, or at intervals determined according to the hazard class, and a report is prepared based on the examination results. It is a fundamental responsibility of the employer to process this data in a manner that is proportionate to the nature of the work and appropriate to the purpose.

Regarding the security of health data, the following point should be particularly emphasized: Examination forms, health reports, and other sensitive health documents should be kept within the occupational physician's office, not in the general personnel file; general access to this data should be prevented. Otherwise, it will constitute a data privacy and security breach. In addition, making sensitive data such as blood type and religious affiliation, which are found in old identity documents, unreadable by obscuring or blurring them is also a practical obligation that should be observed.

Can a criminal record be kept in a personnel file?

Information regarding criminal convictions is considered special categories of personal data. Therefore, processing of criminal records is only possible if it is explicitly provided for in the law, if the data subject has given their explicit consent, or if other legal grounds, limited in number, are found in the law.

There are specific regulations that allow or require the issuance of criminal record checks for certain positions, such as security guards or personnel working in private educational institutions. However, these regulations remain exceptions, and the rule is that processing is based on explicit consent. Processing a criminal record check without the explicit consent of an employee is unlawful in cases not explicitly provided for in the law. During the process of obtaining explicit consent, the employee must be informed, in particular, about the following: that the granting or withholding of consent is not contingent upon the successful outcome of the recruitment process; and that consent can be withdrawn at any time without any conditions. The data in question must be stored with adequate measures determined by the Board and destroyed after an appropriate period.

Conclusion

Processing only the personal data of employees that is necessary for the job, and taking all necessary technical and administrative measures in this process, directly contributes to the protection of data in personnel files and the establishment of a secure environment in the workplace.

The preservation and destruction of personnel files, which contain a large amount of both general and specific personal data, constitutes an extremely critical process for employers. In this process, the employer must act proportionally, adhering to the purposes and limits of data processing as defined by the Law; comply with both the Personal Data Protection Law (KVKK) and relevant legislation; take necessary security measures for file storage; and fully implement the destruction policy at the end of the specified period. Obtaining legal support in this area is crucial to ensure that every stage of the process is carried out without any breaches. Furthermore, increasing corporate awareness through internal training will be a preventive and effective step to avoid administrative fines that may arise from violations of obligations under the KVKK.

Attorney Selin Ünverdi