Open menu

06 October 2023

Personal Data Protection Law (PDPL) in Human Resources Processes: Why is It Important?

Author Civan Güneş, CottGroup Hukuk ve Mevzuat Ekibi, Category KVKK - GDPR, Work Life

Personal Data Protection Law (PDPL) in Human Resources Processes: Why is It Important?

In today's business world, the need for personal data protection has been ensured by the Personal Data Protection Law (PDPL), making it a priority for every organization. Human resources departments are responsible for collecting, managing, and storing extensive personal data, including sensitive data about employees and candidates. This data includes social security numbers, addresses, phone numbers, email addresses, medical records, and other personal data. Therefore, the significance of personal data protection in human resources cannot be overstated. We've outlined the critical factors that HR professionals should pay attention to when it comes to protecting personal data during the recruitment and active employment processes.

Personal Data Protection in the Recruitment Process

Personal data protection has become an increasingly important issue in recent years, especially in the case of recruitment, termination, and subsequent processes. With technological advancements, companies can access more personal data than ever before, making it compulsory to handle, store, and dispose of such data appropriately.

Under the Personal Data Protection Law (PDPL), data controllers must protect the personal data acquired during the recruitment process. Therefore, HR personnel involved in recruitment must undergo specific training on the regulations and responsibilities surrounding personal data protection to comply with the PDPL. This training will ensure that all collected personal data is processed in adherence to the regulations.

During the recruitment process, the candidates should be informed about who will handle their personal information and for what purposes. The personal data collected should only be used for evaluating and assessing candidates, not for marketing or advertising, and not shared with third parties without the candidate's consent. Once the recruitment process is over, the data collected must be securely disposed of to comply with the Personal Data Protection Law.

To avoid discrimination during recruitment, it's crucial not to collect or process special categories of personal data such as religious beliefs or political opinions unless it's necessary for the specific role. If psychological or alcohol/drug tests are a requirement for a position, the candidate should give explicit consent, and measures should be taken to comply with the Personal Data Protection Law.

Employers should only request information from job candidates that is directly relevant and necessary for the recruitment process. For instance, if a company vehicle is not required for the position, then some personal data should not be requested. It is also important to avoid asking for an excessive amount of personal data. Data controllers should take measures to protect the personal data collected during recruitment and inform candidates about how their data will be processed to ensure compliance with the PDPL.

Personal Data Protection During Employment Process

As per the Personal Data Protection Law (PDPL), protecting the personal data of employees is a legal obligation in our country. This requirement implies that reasonable measures must be taken to ensure that personal data is not accessed without permission, not used for other purposes than intended, and not disclosed. Failure to comply with these regulations can result in significant fines and legal proceedings.

Article 75 of Labor Law No. 4857 mandates that employers or Human Resources personnel acting on behalf of the employer must maintain an employee info file for each worker they employ. This file must contain the worker's identity information, as well as all documents and records required to be kept under the Labor Law and other laws. When requested, authorized officials and authorities must be provided access to this information.

Employers are required by the Personal Data Protection Law to provide their employees with an explanation of the personal information contained in their employee info files, as well as the reasons for collecting and processing this information. While employee consent is not required for the processing of their personal data, it is stated in Article 5, paragraph 2, sub-paragraph (a) of the PDPL that personal data may be processed without consent if explicitly authorized by law. Under Article 75 of the Labor Law, the processing of personal data for the creation of personnel files is mandatory.

To secure the protection of employees' personal data, certain precautions should be taken, such as:

  • Comprehensive Data Protection Policy:
  • Employers should create a data protection policy outlining the organization's procedures for handling sensitive employee data. The policy should be communicated to all employees and should cover topics like data access, storage, and disposal.

  • Limited Access:
  • Employers should limit access to personal data only to employees who require it for their job responsibilities. It is advisable to implement role-based access controls and keep the number of employees with access to sensitive data at a minimum.

  • Data Storage Security:
  • Employers should store personal data in secure areas, such as locked cabinets or password-protected servers. Physical files should be kept under lock and key, electronic files should be encrypted, and password protection should be enforced.

  • Secure Communication Channels:
  • Employers should use secure channels, such as encrypted email or messaging apps, to transmit personal data. Personal data should not be sent through insecure channels like regular email or text messages.

  • Access Monitoring and Auditing:
  • Employers should regularly monitor and audit employee access to personal data to detect any suspicious activities, potential data breaches, or unauthorized access.

  • Employee Training:
  • Employers should provide necessary training for employees on data protection policies and procedures to ensure their understanding of handling sensitive information.

  • Data Disposal:
  • It is important for employers to properly dispose of personal data once it is no longer needed. This can be accomplished through methods such as shredding physical documents or deleting electronic files securely.

It is also important to note that employees have the right to access their personal data. As such, data controllers should provide employees with the chance to review their personal information and make any necessary corrections.

Should you have any queries or need further details, please contact us.


Contents provided in this article serve to informative purpose only. The article is confidential and property of CottGroup® and all of its affiliated legal entities. Quoting any of the contents without credit being given to the source is strictly prohibited. Regardless of having all the precautions and importance put in the preparation of this article, CottGroup® and its member companies cannot be held liable of the application or interpretation of the information provided. It is strictly advised to consult a professional for the application of the above-mentioned subject.

For each concrete situation, it is strongly advised to seek guidance from a professional advisor. If you are a customer of ours, please consult with your customer representative before taking any action related to the announcement. If you are not a customer, seek advice from an expert.

About The Author


Other Articles

Let's start
Get a quote for your service requirements.

Would you like to know more
about our services?

Bu web sitesi çerez kullanıyor.

Bu internet sitesinde, kullanıcı deneyimini geliştirmek, verimli çalışmasını sağlamak ve istatistiki verileri takip etmek için çerezler kullanılmaktadır. Sitemizi kullanarak çerezleri kabul etmiş olursunuz. Çerezleri nasıl kullandığımız ile ilgili detaylı bilgi için lütfen Çerezler (Cookies) sayfasını okuyunuz. Bu seçim 30 gün süreyle ya da tarayıcınızdaki çerezleri siz silene kadar geçerlidir.

Çerez Tercihleri Cookie Preferences

Çerezleri Ayarla

Çerezler, web sitelerinin kullanıcı deneyimini daha verimli hale getirmek için kullanabileceği küçük metinlerdir. Kanun, bu sitenin işleyişi için kesinlikle gerekli olan çerezlerin cihazınıza saklanabileceğini belirtir. Diğer tüm çerez türleri için izninize ihtiyacımız var. Bu site, çeşitli türde çerezler kullanmaktadır. Bazı çerezler, sayfalarımızda görünen üçüncü taraf hizmetler tarafından yerleştirilir.

Verdiğiniz izinler aşağıda yer alan web siteleri için geçerlidir: