06 October 2023
Personal Data Protection Law (PDPL) in Human Resources Processes: Why is It Important?
In today's business world, the need for personal data protection has been ensured by the Personal Data Protection Law (PDPL), making it a priority for every organization. Human resources departments are responsible for collecting, managing, and storing extensive personal data, including sensitive data about employees and candidates. This data includes social security numbers, addresses, phone numbers, email addresses, medical records, and other personal data. Therefore, the significance of personal data protection in human resources cannot be overstated. We've outlined the critical factors that HR professionals should pay attention to when it comes to protecting personal data during the recruitment and active employment processes.
Personal Data Protection in the Recruitment Process
Personal data protection has become an increasingly important issue in recent years, especially in the case of recruitment, termination, and subsequent processes. With technological advancements, companies can access more personal data than ever before, making it compulsory to handle, store, and dispose of such data appropriately.
Under the Personal Data Protection Law (PDPL), data controllers must protect the personal data acquired during the recruitment process. Therefore, HR personnel involved in recruitment must undergo specific training on the regulations and responsibilities surrounding personal data protection to comply with the PDPL. This training will ensure that all collected personal data is processed in adherence to the regulations.
During the recruitment process, the candidates should be informed about who will handle their personal information and for what purposes. The personal data collected should only be used for evaluating and assessing candidates, not for marketing or advertising, and not shared with third parties without the candidate's consent. Once the recruitment process is over, the data collected must be securely disposed of to comply with the Personal Data Protection Law.
To avoid discrimination during recruitment, it's crucial not to collect or process special categories of personal data such as religious beliefs or political opinions unless it's necessary for the specific role. If psychological or alcohol/drug tests are a requirement for a position, the candidate should give explicit consent, and measures should be taken to comply with the Personal Data Protection Law.
Employers should only request information from job candidates that is directly relevant and necessary for the recruitment process. For instance, if a company vehicle is not required for the position, then some personal data should not be requested. It is also important to avoid asking for an excessive amount of personal data. Data controllers should take measures to protect the personal data collected during recruitment and inform candidates about how their data will be processed to ensure compliance with the PDPL.
Personal Data Protection During Employment Process
As per the Personal Data Protection Law (PDPL), protecting the personal data of employees is a legal obligation in our country. This requirement implies that reasonable measures must be taken to ensure that personal data is not accessed without permission, not used for other purposes than intended, and not disclosed. Failure to comply with these regulations can result in significant fines and legal proceedings.
Article 75 of Labor Law No. 4857 mandates that employers or Human Resources personnel acting on behalf of the employer must maintain an employee info file for each worker they employ. This file must contain the worker's identity information, as well as all documents and records required to be kept under the Labor Law and other laws. When requested, authorized officials and authorities must be provided access to this information.
Employers are required by the Personal Data Protection Law to provide their employees with an explanation of the personal information contained in their employee info files, as well as the reasons for collecting and processing this information. While employee consent is not required for the processing of their personal data, it is stated in Article 5, paragraph 2, sub-paragraph (a) of the PDPL that personal data may be processed without consent if explicitly authorized by law. Under Article 75 of the Labor Law, the processing of personal data for the creation of personnel files is mandatory.
To secure the protection of employees' personal data, certain precautions should be taken, such as:
- Comprehensive Data Protection Policy:
- Limited Access:
- Data Storage Security:
- Secure Communication Channels:
- Access Monitoring and Auditing:
- Employee Training:
- Data Disposal:
Employers should create a data protection policy outlining the organization's procedures for handling sensitive employee data. The policy should be communicated to all employees and should cover topics like data access, storage, and disposal.
Employers should limit access to personal data only to employees who require it for their job responsibilities. It is advisable to implement role-based access controls and keep the number of employees with access to sensitive data at a minimum.
Employers should store personal data in secure areas, such as locked cabinets or password-protected servers. Physical files should be kept under lock and key, electronic files should be encrypted, and password protection should be enforced.
Employers should use secure channels, such as encrypted email or messaging apps, to transmit personal data. Personal data should not be sent through insecure channels like regular email or text messages.
Employers should regularly monitor and audit employee access to personal data to detect any suspicious activities, potential data breaches, or unauthorized access.
Employers should provide necessary training for employees on data protection policies and procedures to ensure their understanding of handling sensitive information.
It is important for employers to properly dispose of personal data once it is no longer needed. This can be accomplished through methods such as shredding physical documents or deleting electronic files securely.
It is also important to note that employees have the right to access their personal data. As such, data controllers should provide employees with the chance to review their personal information and make any necessary corrections.
Should you have any queries or need further details, please contact us.