Processing Biometric Data in Turkey: KVKK Rules Explained

Fingerprint scanners at the office door. Facial recognition at hotel check-in. Palm vein readers replacing attendance cards. Biometric technology is spreading fast across Turkey, and businesses that deploy it without understanding the legal rules are taking on serious risk. Turkey's Personal Data Protection Law (Kişisel Verilerin Korunması Kanunu, KVKK) treats biometric data as one of the most sensitive categories of personal information — and the rules that govern its processing are stricter than most companies realise. For foreign businesses and investors operating in Antalya or elsewhere in Turkey, getting this right matters from day one.

What Counts as Biometric Data Under KVKK

The KVKK itself does not define biometric data, but Article 6 of the law places biometric and genetic data in the list of special-category personal data (özel nitelikli kişisel veri) — the same tier as health records, racial or ethnic origin, religious beliefs, and sexual life. Turkish courts have drawn on the European General Data Protection Regulation's definition to fill the gap: biometric data means personal information derived from specific technical processing of an individual's physical, physiological, or behavioural characteristics — such as fingerprint templates, facial geometry, iris scans, or voice patterns — that uniquely identifies that person.

Practically speaking, this covers fingerprint attendance terminals, facial recognition systems used for access control or identity verification, retina scanners, palm vein readers, and any system that processes a biometric template rather than just a photo or a PIN. If the technology identifies a specific individual through their body, it almost certainly processes biometric data under Turkish law.

The General Prohibition and Its Legal Grounds

Article 6 of the KVKK lays down a clear starting rule: processing special-category personal data is prohibited. Processing becomes lawful only when one of the statutory grounds applies. Following the 2024 amendments introduced by Law No. 7499, those grounds now include:

• Freely given, specific, informed explicit consent (açık rıza) of the data subject
• Explicit statutory authorisation — a specific law must expressly permit the processing
• Vital necessity where the person cannot consent
• Data the person has already made public themselves
• Necessity to establish, exercise, or protect a right
• Healthcare, preventive medicine, or public health purposes (by professionals under confidentiality obligations)
• Fulfilment of legal obligations in employment, occupational health and safety, and social security

Even when one of these grounds applies, KVKK Article 6(4) adds a further requirement: processing must also comply with the security measures specified by the Personal Data Protection Board (Kişisel Verilerin Korunması Kurulu). These Board-mandated measures cover technical safeguards such as encryption of biometric templates, strict access controls, audit logs, and staff training. They apply on top of — not instead of — the substantive legal ground.

For a broader overview of how the KVKK operates, see our article on KVKK compliance in Turkey.

Workplace Biometrics and the Proportionality Test

The most litigated use of biometric data in Turkey has been workplace attendance and access control. Employers have deployed fingerprint scanners and palm vein readers to track working hours and limit entry to premises. Turkish courts — particularly the Danıştay (Council of State) — have reviewed these cases repeatedly, and the emerging principle is consistent: biometric systems must pass a proportionality test, not just a consent test.

In a 2022 decision, the Danıştay 12th Chamber quashed an administrative order requiring civil servants to use a fingerprint reader for attendance. The court found no clear statutory basis and no voluntary consent. Crucially, it went further: even if consent had been obtained, the employer had to show that biometric data collection was necessary and that no less invasive alternative existed. The court noted that ID cards and password systems could achieve the same purpose — which made the fingerprint scanner disproportionate under KVKK Article 4's data minimisation and proportionality principles.

A 2023 Danıştay ruling reached the same outcome in a palm vein scanner case. The court noted that when the employer tested simpler methods, they worked perfectly well. Deploying biometrics on top of them was excessive — and unlawful.

The message is direct: convenience and efficiency are not justifications for collecting biometric data. If a less intrusive method can do the job, Turkish law may require you to use it.

What Organisations Must Do Before Processing Biometric Data

Whether you run a hotel, a factory, a residential complex, or an international company with offices in Antalya, the compliance checklist is the same:

• Establish the legal ground. Confirm whether explicit consent or a statutory provision authorises the processing. Consent must be genuine — not bundled into employment contracts or made a condition of building entry.
• Apply the proportionality test. Document why biometrics are necessary and why no less invasive alternative achieves the same goal.
• Draft a detailed privacy notice before collecting any data. For the distinction between a privacy notice and explicit consent, see our article on KVKK privacy notices and consent.
• Implement the Board's security measures — encryption, access controls, audit trails, and retention limits.
• Set a retention period and delete or anonymise biometric records when the purpose is fulfilled.
• Register in VERBİS if your organisation qualifies as a data controller. Biometric processing must be declared as a distinct, high-sensitivity activity. For more on VERBİS, see our guide on the VERBİS data controller registry.

Frequently Asked Questions

Q: Can a Turkish employer require fingerprint scanning for attendance?

Generally, no — not without either an explicit statutory basis or genuine voluntary consent, and even then only if the biometric system is necessary and proportionate. Where alternatives exist, courts have struck down fingerprint requirements even when consent was technically present.

Q: Does facial recognition at a hotel comply with KVKK?

It can, if guests provide informed, free, and prior explicit consent — not hidden in terms of service — and if the hotel applies the Board's security standards. The facial data cannot be used for any purpose beyond the one disclosed.

Q: Are foreign companies subject to KVKK biometric rules?

Yes. KVKK applies to any organisation that processes personal data of individuals in Turkey, regardless of where the organisation is incorporated. A foreign company with employees or customers in Turkey must comply fully.

Q: What are the consequences of unlawful biometric processing?

The Personal Data Protection Board can impose administrative sanctions. Processing special-category personal data without legal basis may also give rise to criminal liability under the Turkish Criminal Code.

How Mona Hukuk Can Help

Our team advises companies, developers, and international investors in Antalya on the full spectrum of KVKK compliance — including lawful design of biometric systems, consent architecture, privacy notices, and Board-mandated security measures. We also represent clients before the Personal Data Protection Board in complaint and investigation proceedings.

Contact us at contact@monahukuk.com or call +90 (242) 606 14 32 to schedule a consultation in Antalya.