On 8 June 2026, the Personal Data Protection Authority (the “Authority”) published the “Public Announcement on the Matters to be Considered in the Use of Security Camera Systems in Workplaces” (the “Public Announcement”). In the Public Announcement, the Authority emphasizes that employers may carry out personal data processing activities through security camera systems in workplaces in line with their obligations arising from the Turkish Code of Obligations No. 6098 and the Occupational Health and Safety Law No. 6331; however, such use cannot be considered as an unlimited monitoring tool.
In this context, the Authority states that personal data processing activities carried out through security cameras in workplaces must be conducted in compliance with the Personal Data Protection Law No. 6698 (the “Law”).
The key points that employers should consider within the scope of the Public Announcement are summarized below:
- Before using security cameras, the need for camera use should be assessed on a case-by-case basis and the principle of data minimization should be observed.
- The purpose of using security cameras should be determined clearly and concretely from the outset; camera records should not be used outside such purpose for monitoring employees’ attendance, performance or whether they work efficiently, increasing discipline or ensuring general control. The Authority states that such uses cannot be considered within the scope of a “legitimate purpose”.
- The use of cameras should be assessed within the framework of the principle of proportionality. In this context, the use of cameras in common areas or areas involving security risks may be considered proportionate on a case-by-case basis, taking into account the camera location, viewing angle, zoom feature, continuity of recording and frequency of monitoring.
- Employees’ and other data subjects’ reasonable expectation of privacy should be observed; cameras should not be placed in private areas such as toilets, changing rooms, prayer rooms and rest areas.
- Wide-angle or face-focused recording practices covering the entire workplace should be avoided; since audio recording is a highly intrusive method in terms of the right to privacy, audio recording cameras should be approached with caution and should not be used unless its lawful justification and necessity are clearly demonstrated.
- All factors—including whether individuals not subject to surveillance or monitoring in the workplace’s public areas, particularly vulnerable individuals and children who require special protection, will be affected by the processing of their personal data through the installation of a security camera system—must be thoroughly assessed.
- Data subjects should be informed about the use of security cameras and the obligation to inform should be fulfilled pursuant to Article 10 of the Law.
- Necessary technical and organisational measures should be taken to ensure the security of personal data processed through camera records (e.g., authorization matrix, prevention of unauthorized access, etc.).
- Camera records should be retained only for the period necessary for the purposes for which they are processed; the shortest possible retention period should be determined and an automatic deletion mechanism should be implemented in the system. In the event of an incident, only the relevant record should be retained throughout the legal process.
- Necessary procedures should be prepared to ensure the security and confidentiality of the records.
The Public Announcement states that if non-compliance with the foregoing matters is identified, administrative fines may be imposed on the relevant data controllers pursuant to Article 18 of the Law, taking into account their obligations under Article 12 of the Law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]
