İstanbul, Türkiye | Publication | June 2026

Public Announcementon the Use of Security Cameras in Workplaces

Authors: Senem Gölge Yalçın, Selin Önbilgin

The Turkish Personal Data Protection Authority (the “Authority”) published a Public Announcement on 8 June 2026 outlining the key considerations regarding personal data processing activities carried out through security camera recordings in workplaces.

The Purpose of Security Camera Use Must Be Clear, Specific and Legitimate

The Authority states that the use of security cameras in workplaces may be based on specific and legitimate purposes such as:

  • ensuring occupational health and safety;
  • preventing workplace accidents;
  • maintaining workplace security;
  • assisting in the prevention and detection of criminal activities; and
  • fulfilling the employer’s legal obligations.

In this regard, data controllers are expected to take the principle of data minimization into account when assessing the necessity of security camera systems and to limit the processing of personal data to the minimum extent necessary to achieve the intended purpose. Furthermore, where the use of security cameras serves multiple purposes, the purpose of the personal data processing activity should be determined clearly and specifically in advance, taking into account the circumstances of the particular case.

On the other hand, the Authority emphasizes that the use of cameras for purposes such as monitoring employee productivity, increasing discipline, continuously supervising employees, or conducting general surveillance cannot be regarded as a legitimate purpose.

Principle of Proportionality and Protection of Employees’ Privacy

The Announcement places particular emphasis on the principle of proportionality, one of the fundamental principles of the Personal Data Protection Law (“PDPL”).

According to the Authority, camera systems should be assessed in light of the criteria of suitability, necessity and proportionality. In this respect:

  • the least intrusive method necessary to achieve the intended purpose should be preferred when determining camera placement, viewing angles and coverage areas;
  • the use of cameras in areas presenting security risks, such as entrances and exits, warehouses or cash handling areas, may generally be considered acceptable;
  • cameras should not be installed in areas where employees have a heightened expectation of privacy, such as restrooms, changing rooms, prayer rooms and break areas;
  • the location, viewing angle, zoom capability, continuity of recording and frequency of monitoring should be carefully evaluated; and
  • additional proportionality assessments should be conducted in relation to wide-angle surveillance covering the entire workplace, facially focused recordings or practices amounting to continuous monitoring.

The Authority further underlines that the reasonable expectation of privacy of employees and other individuals should be taken into consideration, even within the workplace. It also notes that data controllers should assess whether third parties present in publicly accessible areas of the workplace, including children and other individuals requiring special protection, may be affected by the operation of security camera systems.

Cameras with Audio Recording Functions Require Stricter Assessment

The Authority considers audio recording through security cameras to constitute a significantly more intrusive interference with the right to privacy.

Accordingly, the use of audio recording functionalities should only be considered where there is a clear legal basis and a demonstrable necessity. Data controllers should also assess whether the intended purpose can be achieved through less intrusive means.

Transparency Obligations and Data Security Measures

Employers are required to inform employees and other relevant individuals regarding personal data processing activities carried out through security cameras and to fulfil their transparency obligations under Article 10 of the PDPL, including by providing appropriate notices in monitored areas.

In addition, the Authority highlights that employers should implement appropriate technical and organisational measures to ensure the security of camera recordings, including:

  • restricting access rights;
  • establishing authorization matrices;
  • preventing unauthorized access;
  • ensuring the secure storage of recordings; and
  • implementing procedures governing access to and management of recordings.

Retention Periods and Access Controls Should Be Carefully Managed

The Authority notes that retaining camera recordings for longer than necessary may constitute a violation of the PDPL.

Accordingly, data controllers are advised to:

  • determine retention periods in accordance with the purpose of processing;
  • implement automatic deletion or destruction mechanisms where possible;
  • ensure that recordings are accessible only to authorized personnel;
  • prevent the unauthorized disclosure of recordings; and
  • establish internal procedures governing access to and sharing of recordings.

The Authority further emphasizes that, where a specific incident occurs, only the recordings relevant to that incident should be retained for the duration of the relevant legal process, while all other recordings should be deleted or destroyed upon expiry of the applicable retention period.