Opinion19 min read

Is an Employer's Technical Monitoring of Remote Workers Compliant with the KVKK?

An employer's technical monitoring of a remote worker is not absolutely prohibited. It complies with the KVKK where it rests on a valid legal basis, is notified in advance, and is purpose-limited and proportionate. Limits and practical criteria under Board, Constitutional Court and ECtHR case law.

Z

Av. Umut Zorer

Founding Lawyer

The tension between the employer's power to supervise employees and to organise work, on the one hand, and the employee's right to the privacy of their private life and to request the protection of their personal data, on the other, has taken on a new dimension as remote and hybrid working have become widespread. Monitoring the computer, corporate e-mail, internet traffic or location of an employee outside the office by technical means protects the employer's legitimate interests while at the same time potentially reaching into the employee's home and private life. Remote worker monitoring is therefore not merely a matter of information security or productivity: it is directly a subject of personal data protection law.

An employer's monitoring of a remote worker by technical means is not absolutely prohibited. However, such monitoring is regarded as compliant with Personal Data Protection Law No. 6698 (KVKK) where it rests on a valid legal basis, is notified in advance and explicitly, is limited to its purpose and proportionate, and where the least intrusive method has been chosen. Covert, continuous and indiscriminate monitoring is, as a rule, unlawful; where the conditions are met, it may even give rise to criminal liability.

What Does Remote Worker Monitoring Mean?

Remote worker monitoring is the employer's measurement, recording and evaluation of the employee's work activity by technical means rather than by physical supervision. Such monitoring takes very different forms according to the nature of the data processed and the intensity of the intrusion. At one end are access logs that hold only access metadata (who connected, when and from which address); at the other are software applications that continuously monitor the employee's screen, keystrokes, camera and microphone. The legal assessment is made not by reference to the name of the tool, but by asking which of the employee's data that tool reaches and with what intensity.

Technical monitoring at the workplace and in remote working amounts to the processing of the employee's (the data subject's) personal data, and this processing activity makes the employer, in its capacity as data controller, subject to Personal Data Protection Law No. 6698. Three elements form the core of the assessment: the general principles (Article 4), the legal basis (Article 5) and the obligation to inform (Article 10).

The Principle of Proportionality

Article 4(2) of the KVKK lists the general principles with which every processing operation must comply: lawfulness and compliance with the rules of good faith; being accurate and, where necessary, up to date; being processed for specified, explicit and legitimate purposes; being relevant, limited and proportionate to the purposes for which they are processed; and being retained only for the period laid down in the relevant legislation or required for the purpose of processing. Of these principles, the one that is decisive in the debate on monitoring is the principle of proportionality in Article 4(2)(ç). The proportionality test proceeds through three sub-criteria: whether the tool serves the purpose (suitability), whether the same purpose could be achieved by a less intrusive means (necessity), and whether the balance between the intrusion into the employee's privacy and the employer's interest is preserved (proportionality stricto sensu). Even if a monitoring tool serves a legitimate purpose, where the same result can be obtained by a less intrusive method the necessity criterion is not met and the processing becomes unlawful.

Under Article 5(1) of the KVKK, personal data may not be processed without the data subject's explicit consent; Article 5(2) lists the exceptions that allow processing without explicit consent. These include express provision in the laws (Article 5(2)(a)), being directly related to the conclusion or performance of a contract (Article 5(2)(c)), compliance with the data controller's legal obligation (Article 5(2)(ç)), being mandatory for the establishment, exercise or protection of a right (Article 5(2)(e)), and the data controller's legitimate interest, provided that the data subject's fundamental rights and freedoms are not harmed (Article 5(2)(f)).

The use of explicit consent as a legal basis in the employment relationship raises a particular difficulty. Because of the dependency and the imbalance of power between employee and employer, it is in most cases hard to say that an employee's consent to monitoring rests on free will; consent given in an environment where an employee who refuses may face adverse consequences may not be regarded as valid explicit consent. For this reason, workplace monitoring is in practice assessed less on consent than on the performance of the employment contract (Article 5(2)(c)) and legitimate interest (Article 5(2)(f)), by reference to the obligation to inform and proportionality. Where legitimate interest is relied upon, a balancing test between the employer's interest and the employee's fundamental rights and freedoms is expected to be carried out and documented.

The Obligation to Inform

Article 10 of the KVKK imposes on the data controller an obligation to inform the data subject at the time of obtaining the data. The information must cover the identity of the data controller, the purposes for which the personal data will be processed, to whom and for what purposes they may be transferred, the method and legal basis of collection, and an explanation of the rights listed in Article 11. In the context of technical monitoring, information is not a mere formality but a precondition of proportionality and lawfulness: the employee must know in advance by which tool, for what purpose and to what extent they are being monitored. Monitoring that is not notified in advance and explicitly is, as a rule, contrary to the principle of good faith and to the obligation to inform.

The Criminal Dimension of Covert Monitoring

Technical monitoring does not only create a risk of administrative sanction; in certain cases it may also give rise to criminal liability. Article 132 of the Turkish Penal Code No. 5237 punishes anyone who violates the confidentiality of communications with imprisonment from one to three years and provides that the penalty is doubled where the violation is committed by recording the content of the communication. Article 135 of the same Code punishes anyone who unlawfully records personal data with imprisonment from one to three years. Applications such as spyware, covert screen capture or keystroke logging installed without the employee's knowledge may, where the conditions are met, fall within the scope of these offences. This shows that covert monitoring is conduct that is not only invalid but also potentially criminal.

Decisions from Türkiye

On remote worker monitoring, Turkish law has established a definite framework both at the level of the Personal Data Protection Board (the Board) and at the level of the higher courts' case law.

Decisions of the Personal Data Protection Board

In workplace monitoring disputes, the Board follows a line that internalises the criteria of the European Court of Human Rights (ECtHR) and the Constitutional Court. The Board's decision no. 2023/86 of 19 January 2023 concerns a data controller's processing of data by monitoring, accessing and storing the content of the corporate e-mail account allocated to an employee. In that decision, referring to the Constitutional Court's judgment of 17 September 2020 in application no. 2016/13010 and to the criteria in the ECtHR's Barbulescu judgment, the Board assessed the employer's prior and explicit information, the scope of the monitoring and the degree of intrusion into privacy, whether a less intrusive method was possible, the existence of a legitimate justification, the number of persons with access to the results and the safeguards afforded to the employee.

Decision no. 2021/1187 of 25 November 2021, by contrast, concerns an employer's access to a former employee's corporate e-mail account without any information notice being given, and an administrative fine was imposed on account of that access. Read together, these decisions show that the Board accepts that the employer has a supervisory interest in corporate tools, but that this interest is confined by prior information, purpose limitation and proportionality.

Judgments of the Constitutional Court

The Constitutional Court's leading judgment in this field is the Plenary judgment in E.Ü., application no. 2016/13010 of 17 September 2020. In that application, which concerned the employer's examination of the corporate e-mail content of an applicant working at a private law firm partnership and the termination of the employment contract, the Constitutional Court found a violation of the right to request the protection of personal data and of freedom of communication within the scope of the right to respect for private life. The judgment established the criterion that the employer's supervisory authority over the employee, and the limits of that authority, must be notified to the employee in advance.

To see the balance, a judgment pointing in the opposite direction should also be mentioned. In the Constitutional Court's judgment in Celal Oraj Altunörgü, application no. 2018/31036 of 12 January 2021, the examination of the corporate e-mail content of an applicant working at a private bank and his dismissal were at issue; however, since the employment contract provided that corporate e-mail could be inspected without notice, the condition of prior information was held to be satisfied and it was decided unanimously that there had been no violation. Read together, the two judgments make the decisive distinction clear: whether prior and transparent notification was given is the element that directly determines the outcome.

The Approach of the Court of Cassation

The same principle applies at the level of labour jurisdiction. In the Court of Cassation 22nd Civil Chamber's judgment of 7 May 2019 (Merits no. 2017/21857, Decision no. 2019/9884), it was stated that the employer may always monitor and track the employee electronically as a consequence of its managerial prerogative, but that this requires the employee to have been informed about such monitoring. The judgment established that the burden of proving that the information was given lies with the employer, and that data obtained through monitoring carried out covertly or without information will be regarded as unlawful and therefore cannot be used as evidence in a dismissal. This case law is important in showing that covert monitoring is not only a data protection problem but also a question of the admissibility of evidence.

The European Framework: The ECtHR and Data Protection Authorities

The criteria in Turkish law largely overlap with European human rights and data protection practice. Although this framework is not directly binding for Türkiye (with the exception of ECtHR case law), it is a source that inspires the decisions of the Board and the courts and carries comparative value.

The ECtHR: Barbulescu and López Ribalda

The turning point in this field before the ECtHR is the Grand Chamber judgment in Barbulescu v. Romania (application no. 61496/08, 5 September 2017). The Grand Chamber held that Article 8 of the Convention (respect for private life and correspondence) had been violated where an employer monitored an employee's corporate communications account without adequate prior information. The judgment sets out the criteria that national courts must observe when reviewing employer monitoring: whether the employee was informed in advance, the scope of the monitoring and the degree of intrusion into privacy, whether there was a legitimate justification for the monitoring, whether a less intrusive method was possible, how the results of the monitoring were used, and the safeguards afforded to the employee.

By contrast, López Ribalda and Others v. Spain (applications nos. 1874/13 and 8567/13, 17 October 2019) shows the narrow conditions in which covert monitoring may exceptionally be legitimate. In that case, where supermarket cashiers were monitored by hidden cameras, the Grand Chamber assessed the specific circumstances (the existence of a reasonable suspicion of theft, the limited duration and scope of the monitoring) and held that there had been no violation of Article 8 of the Convention. Together, these two judgments establish that covert monitoring is prohibited as a rule, but may be regarded as legitimate in exceptional cases that rest on a concrete and serious suspicion and are strictly limited in duration and scope.

WP29 Opinion 2/2017 and the GDPR

At European Union level, the principal reference on data processing at work is the Article 29 Working Party's (WP29) Opinion 2/2017 (WP249), adopted on 8 June 2017. The document states that, because of the imbalance of power between employer and employee, consent cannot as a rule be a valid legal basis; that the employer may rely on legitimate interest, but that the processing must be strictly necessary for the legitimate purpose, proportionate and consistent with the principle of subsidiarity. In the words of the document, data processing at work must be carried out in the least intrusive manner possible and targeted at the specific area of risk.

In turn, Article 88 of the General Data Protection Regulation (GDPR) empowers Member States to lay down more specific rules in the employment context and requires, particularly in respect of monitoring systems at the workplace, the provision of suitable and specific measures to safeguard the employee's human dignity, legitimate interests and fundamental rights. The principles set out in Article 5 of the GDPR (lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; accountability) also delimit monitoring. As regards video surveillance at the workplace, the current EDPB text is Guidelines 3/2019 on processing of personal data through video devices (final version, 30 January 2020).

Examples from European Data Protection Authorities

Recent decisions of European data protection authorities give concrete form to how decisive monitoring intensity and data retention periods are in the proportionality test.

In France, the CNIL imposed an administrative fine of EUR 32,000,000 on Amazon France Logistique for the excessive and automated monitoring of warehouse workers through handheld scanners, by decision no. SAN-2023-021 of 27 December 2023. The decision rests on breaches of Articles 5(1)(a), 5(1)(c), 6, 12, 13 and 32 of the GDPR; it found disproportionate the very detailed and almost continuous measurement of worker activity and the retention of the data for 31 days. That fine was subsequently varied by the French Conseil d'État's decision no. 492830 of 23 December 2025, which, as regards certain monitoring indicators, reduced it to EUR 15,000,000; the findings on data minimisation and on the breach of the security obligation were nevertheless upheld. The decision shows that excessive measurement and unduly long retention are regarded as disproportionate, and that this core assessment has also survived review by the supreme administrative court.

In Italy, the Garante has developed a detailed line on workplace e-mail metadata and monitoring logs. Its guidance document no. 364 of 6 June 2024 states that the metadata collected by e-mail management software must be kept only for the period needed for the operation of the infrastructure, that is, a few days and in any event no longer than 21 days; retention beyond that period must be based on a demonstrated technical necessity and on a data protection impact assessment (DPIA). By its decision no. 472 of 17 July 2024, the Garante imposed an administrative fine of EUR 80,000 on Selectra S.p.A., which retained backups of employees' e-mails for up to three years after the end of the employment relationship and kept access logs for at least six months. In its decision no. 243 of 29 April 2025, it found that Regione Lombardia's retention of e-mail metadata for 90 days and of internet browsing logs for 365 days was contrary to the principles of proportionality and storage limitation. These decisions rest on Article 4 of the Italian Workers' Statute (Statuto dei Lavoratori), which makes the use of tools capable of remote monitoring subject to safeguards protecting employees, and on Article 88 of the GDPR.

In the United Kingdom, the ICO's guidance "Employment practices and data protection: monitoring workers" (October 2023) is particularly notable for remote working. The guidance emphasises that workers' expectation of privacy at home is higher than at the workplace and that the risk of capturing information about family and private life increases. Its sub-page on methods of monitoring states that, because of the high risk involved, a DPIA is mandatory before screenshot capture, webcam recording and keystroke monitoring (classified as behavioural biometric data) and before video and audio surveillance, and that capturing webcam footage is particularly hard to justify. Although this guidance is not binding for Türkiye, it offers a comparative benchmark for risk assessment and for the practice of choosing the least intrusive method in remote worker monitoring.

In Practice: Examples of Lawful and Unlawful Monitoring

This entire framework can be reduced in practice to two basic questions: can the legitimate purpose the employer seeks be achieved by a less intrusive means, and is the employee aware of the monitoring in advance and explicitly? The examples below are arranged around these two questions.

Practices That May Be Assessed as Lawful

  • Keeping VPN and information system login and logout records for the purpose of access security, with prior information and for a limited period.
  • Reporting application usage times in aggregated form, so as to serve workload planning rather than individual discipline.
  • Backing up corporate e-mail for continuity and disaster recovery purposes and running automated security scans against malware and data leakage; examining content only where there is a concrete and justified suspicion, narrow in scope and with reasons given.
  • In field work (courier services, tourism vehicle operations, logistics), location tracking limited to working hours only and connected to security purposes.
  • MDM applications on corporate devices, limited to security functions only.

Practices Regarded as Unlawful

  • Keystroke logging (keyloggers), covert screen capture and spyware installed without the employee's knowledge. These tools collect data indiscriminately, covertly and continuously; they may even give rise to criminal liability under the Turkish Penal Code.
  • Continuous or random webcam monitoring of a remote worker in their home, or listening in through a microphone. This is an intrusion into the core of privacy and, in effect, into the inviolability of the home.
  • Location tracking in a desk-based job where the nature of the work does not require it, or the continuation of monitoring that remains switched on after working hours have ended.
  • Profiling that records internet browsing on an individual basis and thereby makes it possible to draw inferences about the employee's special categories of personal data, such as health, political opinion or belief.
  • Any monitoring that has not been notified in advance and explicitly. Under the case law of the Court of Cassation, data obtained in this way cannot be used as evidence in a dismissal.

Checklist for Employers

The soundest route to lawfulness in remote worker monitoring is to complete the following steps in writing before the tool is installed:

  1. Identifying the purpose: the concrete, explicit and legitimate purpose served by the monitoring must be defined; a general justification of productivity or trust is not sufficient.
  2. Choosing the legal basis: rather than explicit consent, the performance of the employment contract or legitimate interest should be assessed; where legitimate interest is relied upon, the balancing test must be documented.
  3. Choosing the least intrusive method: metadata should be preferred to content, and aggregation to individual surveillance; where the same purpose can be achieved by a lighter means, the more intrusive method must not be used.
  4. Providing information: the employee must be informed in advance and explicitly about the purpose, scope, method and legal basis of the monitoring, the retention period and their rights; covert monitoring must be avoided.
  5. Minimising the retention period: data must be limited to the period necessary for the purpose, and that period must be documented.
  6. Carrying out a DPIA for high-risk monitoring: a data protection impact assessment must be prepared before intensive monitoring such as screen, keystroke, camera and audio monitoring, and before systematic monitoring.
  7. Limiting the scope: monitoring must be confined to working hours and to the corporate sphere; practices that extend into the employee's home and private life must be avoided.
  8. Documentation and audit: access rights must be kept to a minimum, records must be kept of who has accessed the data, and the practice must be reviewed regularly.

Frequently Asked Questions

Can an employer read an employee's corporate e-mail?

Although corporate e-mail is a tool belonging to the employer, reading its content constitutes an intrusion into the confidentiality of communications and into private life. The Constitutional Court's judgment in application no. 2016/13010 requires the employer to notify the employee in advance of its supervisory authority and the limits of that authority. Where prior and explicit notification has been given, access to content may be possible only on a concrete and justified suspicion, narrow in scope and with reasons given. An examination carried out without notification is, as a rule, unlawful.

Can covert monitoring software be installed on a remote worker's computer?

Tools such as keyloggers, covert screen capture or spyware installed without the employee's knowledge are, as a rule, unlawful. Such software collects data indiscriminately, covertly and continuously; it breaches all three criteria of the principle of proportionality (suitability, necessity and proportionality stricto sensu). It may also give rise to criminal liability under the Turkish Penal Code where the conditions are met.

In most cases it is not. Because of the dependency and the imbalance of power in the employment relationship, it is hard to say that the employee's consent rests on free will, and for that reason it may not be regarded as valid explicit consent. This point is also emphasised in WP29 Opinion 2/2017. In practice, monitoring rests less on consent than on the performance of the employment contract or legitimate interest, together with the obligation to inform and proportionality.

What information must an employer provide when monitoring an employee?

Under Article 10 of the KVKK, before beginning monitoring the employer must inform the employee of the identity of the data controller, the purpose of processing, to whom the data may be transferred, the method and legal basis of collection, and the rights listed in Article 11. In technical monitoring, this information must also set out the scope and method of the monitoring in concrete terms. According to the case law of the Court of Cassation, the burden of proving that the information was given lies with the employer.

Can a remote worker's location (GPS) be tracked?

Location tracking may be regarded as proportionate only where the nature of the work makes it necessary (tourism vehicle operations, logistics) and where it is limited to working hours. In desk-based or remote office work, location tracking has no legitimate justification and is disproportionate. Even in a proportionate application, switching the tracking off outside working hours and limiting it to its purpose are essential.

Can records obtained through covert monitoring be used as evidence in a labour case?

Data obtained through monitoring carried out covertly or without prior information to the employee is regarded as unlawful and cannot be used as evidence in a dismissal. Covert monitoring is therefore a method that is both unlawful in terms of data protection law and devoid of evidential value in terms of labour law.