Legal AlertThe PDPB Published a Decision on the Request of Sensetive Personal Data from Candidates in the Recruitment Process by the Turkish Liaison Office of a Data Controller Residing Abroad

15 November 2022

The decision of the Personal Data Protection Board (“Board”) dated 24.02.2022 and numbered 2022/172 regarding requesting special categories of personal data from candidates during the recruitment process by the Turkish liaison office of the data controller resident abroad (“Decision”) has been published.

In summary, the data subject submitted a complaint to the Personal Data Protection Authority (“Authority”), and stated the following:

Data subject stated that the liaison office requested criminal record, health report, chest X-ray report, blood type certificate, photocopy of driver’s license, photocopy of marriage certificate and photocopies of identity cards of family members and that these documents were submitted by the data subject; however, the liaison office did not obtain explicit consent from the data subject for the processing of special categories of personal data.

In the defence received on the subject, the liaison office stated that,

  • The personal data subject to the complaint are kept in the nature of “personnel file” in accordance with the employment contract during the working period in line with the legitimate purpose determined in the relevant legislation and laws,
  • The employment of the data subject within the data controller is determined directly according to the provisions of the legislation based abroad and accordingly, the workplace registry file is created according to the provisions of the current legislation abroad,
  • The personal data subject to the complaint was obtained from the data subject with his consent within the scope of the workplace personnel file, since the data subject is an employee of the data controller residing abroad, and in this sense, it is not possible to transfer the personal data in question abroad without consent.

In the evaluation made regarding the subject, the Board stated that;

  • Considering that the employer is the data controller residing abroad, the employment relationship agreements concluded with the employees should be concluded with the data controller itself, not with the liaison office; in accordance with the employment contract, there will be no illegality in the transfer of personal data of the data subject by the liaison office to the data controller residing abroad, since the title of “data controller” already belongs to the company residing abroad,
  • It is not possible for the data subject to not be aware that his/her personal data obtained from him/her in accordance with the foreign legislation to which the data controller is subject to will be processed abroad while making an employment contract to work with the foreign data controller,
  • In this case, it was assessed that the transfer of data abroad was not unlawful, the personal data of the data subject was obtained by the data controller residing abroad through the contract concluded within the scope of the business relationship in accordance with the resident country law.

For the aforementioned reasons, the Board has concluded that there is no action to be taken pursuant to the Turkish Data Protection Law.

You may reach the full Turkish text of the Decision via the link below.