The issue of personal data protection has come to the forefront once again with the widespread adoption of remote work following the pandemic, raising concerns about data security and privacy, and questioning the reliability of digital infrastructures used within the workplace. However, despite the economic and technological advantages it offers, the remote work model presents certain risks in terms of data security.
In Turkey, the protection of personal data is governed by the Personal Data Protection Law(KVKK), which came into force on April 7, 2016. This law establishes strict regulations regarding the collection, processing, and storage of employees’ personal data by employers.
Employer’s Obligations in the Remote Work Model
The use of cloud-based or similar software, which has become practically essential during remote work, heightens concerns regarding the protection of personal data. For example, granting access to company data through various networks and devices, instant messaging platforms, emails, and cloud-based file-sharing services may result in unauthorized access to personal data. To mitigate security breaches, one of the preventive measures introduced is the authentication system outlined in the Electronic Signature Law, which aims to control data access.
Pursuant to Articles 12 and 7 of the KVKK, employers are required to implement all necessary technical and administrative measures to ensure data security and to prevent the unlawful processing of personal data.
Furthermore, the use of devices provided by the employer, which are specifically designated for the tasks at hand, along with regular updates, the establishment of strong passwords, multi-factor authentication, remote access, and data deletion mechanisms, are among the preventive measures that employers can adopt to ensure data security during remote work.
Additionally, employers are obligated to provide training to raise awareness among employees about potential threats, such as phishing attacks and malware. In cases where data is stolen due to the loss, theft, or hacking of devices, the employer bears the responsibility of initiating the legal process.
Limits of the Employer’s Authority to Monitor Data
While employers are required to take necessary measures to protect personal data during remote work, there are certain boundaries they must observe. These boundaries are defined by the KVKK and the Turkish Code of Obligations.
Employers possess the authority to monitor data access during remote work, but this authority is limited by the provisions of the KVKK, with the aim of preventing undue interference with employees’ private lives. In this regard, employers must first obtain explicit consent to access the data.
Moreover, employers must act in accordance with the principles of proportionality and necessity as stipulated by the Law of Obligations.
Conclusion
Employers should implement measures such as the use of electronic signatures, the deployment of devices dedicated solely to the tasks at hand, ensuring these devices are regularly updated, utilizing strong passwords, and enabling remote access and data deletion features to minimize the risk of unauthorized access to personal data during remote work. In addition to these measures, it is imperative to provide training to employees to raise awareness about potential threats, including malware and phishing attacks. While implementing these safeguards, employers must first obtain permission to access data to avoid infringing on the privacy of employees. Furthermore, access to data should only be granted when necessary for the specific task at hand, and the methods used should not excessively interfere with employees’ private lives.
Berfin Naz Ayduk
Attorney At Law