Turkish Legal Framework For The Retention Of Rejected Employee Candidates' Personal Data And Recent Developments
Under the Turkish data protection legislation, namely the Law on the Protection of Personal Data numbered 6698 ("LPPD"), its secondary regulations and the decisions of the local Data Protection Authority ("DPA"), there are no pre-defined general periods envisaged for the retention of specific categories of data. Thus, the main rules and principles set forth regarding data processing activities within the LPPD must be taken into consideration in order to determine lawful retention periods for the processed personal data, which are as follows:
Within this scope, personal data may be retained as long as its purpose which is based on a valid legal basis (such as legitimate interest, performance of a contract etc.) continues to exist.
In cases where personal data of employee candidates whose applications have been accepted are retained, the relevant purposes and legal bases for such retention are clearer than those applicable for the retention of personal data within the job application files (such as CVs) of the rejected candidates, due to the below presented reasons.
Firstly, as the personal data within these job application files are likely to change within short periods of time, it would not be easy to argue that such data would still be up-to-date and can be considered relevant for the purposes of the data controller after relatively long periods of time. Since the LPPD foresees general
principles1 for the processing of personal data (similar to those of EU's) which are applicable and enforceable to the retention of data; storing and processing inaccurate / not up-to-date rejected candidate data shall constitute a violation of the LPPD.
Secondly, a valid legal basis must exist along with the lawful and legitimate (existing) purpose. In the specific case of rejected candidates' personal data, the legal bases which may be relied on for the relevant purposes that the data controller wishes to retain these documents are very limited.
For example, retaining personal data within the job application files of a rejected employee candidate during an appropriate period in order to be being able to offer the job position in case the (initially) accepted candidate becomes unavailable to take the position may be considered lawful.
The DPA recently rendered a decision assessing the issue of the legal ground of "legitimate interest" being relied on in order to retain data relating to rejected employee candidates as detailed below.
The DPA recently rendered a decision regarding the retention of data belonging to a rejected employee candidate who had applied to a bank and requested the data controller bank to delete his/her personal data ("Decision"). The Decision includes the assessment of the DPA regarding the issue of the legal ground of "legitimate interest" being relied on in order to retain data relating to rejected employee candidates.
The DPA stated in its Decision titled "The continuation of the processing of personal data after the rejection of the job application of the data subject to the data controller bank numbered 2021/670 and dated 06/07/2021" which was published on its official website on December 27 2021 that legitimate interest cannot be considered as a valid legal basis in order to retain job application files of rejected candidates if the candidate has requested the employer to delete such data;
"It is necessary to evaluate the defense of the data controller on the basis of legitimate interests for the purpose of "retaining the personal data of the data subject for possible future applications by the data subject in order to confirm the personal data to be submitted to the data controller in these applications" [...] the legitimate interest of the data controller in keeping the data of the data subject is not clear and specific, the expected benefit of the data controller from the processing activity can be obtained in another way and method without the processing of personal data and since it is considered that the data processing activity in question does not provide an institutional benefit to affect a large number of people, the legitimate interest of the data controller in the processing of the said personal data does not override the fundamental rights and freedoms of the data subject [...]"
The DPA further instructed the data controller to destroy the personal data within the job application files of the applicant data subject and the personal data within of every other rejected candidate, if any.
With this Decision, it is seen that relying on the legitimate interest for the purposes of retaining these files "to be able to take the previous application of the candidate into consideration in the evaluation of the job applications to be made by the same candidate in the future" where the candidate has requested the deletion of such data carries a risk of enforcement of administrative sanctions by the DPA.
In conclusion, currently, data controllers must diligently assess their retention purposes with regard to the rejected candidate data and;
(i) in cases where the data controller relies on its legitimate interest, a legitimate interest balance test must be carried out by the controller in line with the following criteria;
(ii) if there is no other legal basis for the relevant retention, explicit consent of the data subject (candidate) must be obtained. As mentioned under the Introduction section above, explicit consent criterion should be duly met.
In either case, the processed data must always be relevant, limited and proportionate with respect to the relevant purposes.
Once the legal bases are duly determined, retention period should be foreseen in line with the general principles mentioned above, as set forth within Article 4 of the LPPD. Due the fact that certain documents (mainly CVs) are likely to not be up-to-date within a short period of time, retention period should be determined with a relatively strict approach.
Lastly, it should be noted that once the retention period ends (purpose linked with the controller's legitimate interest ceases to exist, data subject requests the deletion of his/her data, or the data subject revokes his/her explicit consent), the relevant data must be deleted, destroyed or anonymized in accordance with the Regulation on Erasure, Destruction or Anonymization of Personal Data.
1 The DPA clearly specifies the elements to be considered while conduction a legitimate interest balance assessment inter alia within its decision dated 25/03/2019 and numbered 2019/78. (Available only in Turkish at: https://www.kvkk.gov.tr/Icerik/5434/2019-78)
2 "The following principles shall be complied within the processing of personal data: (i) Lawfulness and conformity with rules of good faith. (ii) Accuracy and being up to date, where necessary. (iii) Being processed for specific, explicit and legitimate purposes. (iv) Being relevant with, limited to and proportionate to the purposes for which they are processed. (v) Being retained for the period of time stipulated by relevant legislation or the purpose for which they are processed."