Legal Criteria for Lawful Termination of Employment Based on Personal Data Breach: A Recent Decision by the 9th Civil Chamber of the Court of Cassation

1.      Introduction

The recent decision of the 9th Civil Chamber of the Court of Cassation (“9th Chamber”) dated 20.01.2025 and numbered 2024/13450 E. and 2025/700 K. (“Decision”) has been published. The Decision examines the process regarding the termination of an employee who, after being informed through a declaration of undertaking on the protection of personal data, committed an error leading to a personal data breach. The Decision establishes that, for the termination of the employment contract based on breaches concerning the protection of personal data to be deemed legally valid under “Code 49,” which signifies “the employee insisting on not performing duties that he/she is obliged to perform despite being reminded,” the employer must prove the employee's fault and that the necessary warnings were issued. In this respect, the Decision constitutes a precedent particularly regarding how erroneous actions by employees in the context of compliance with legislation should be addressed, the employer’s duty to warn, and the termination procedures.

As known, in labor law, the process of dismissal is not solely limited to the justification stated in the termination notice; the notification of the exit code to the Social Security Institution (“ the SSI”) also has significant consequences for the employee’s future. Specifically, records such as “Code 49,” meaning “the employee insisting on not performing duties that he/she is obliged to perform despite being reminded,” eliminate the right to benefit from unemployment allowance and negatively affect future job applications. In this context, the Decision is important both in terms of the responsibility of employees and employers regarding the protection of personal data and in terms of declaratory lawsuits filed on the grounds that the termination code is unlawful.

2. Summary of the Incident and the Parties’ Claims

The chain of events subject to the Decision occurred when the Plaintiff Employee, working as a reporting officer at the relevant financial company, mistakenly encrypted and sent the file of another customer to the customer representative responsible for control, upon a request for an account statement from a client. The Defendant Employer terminated the Plaintiff Employee’s employment contract on the grounds that this act constituted a violation of the Personal Data Protection Law (“Law”) and notified the SSI of “Code 49” as the exit code.

The Plaintiff Employee, in his statement of claim, argued that this notification was unjustified, that the incident occurred merely due to a momentary lapse, that the main responsibility lay with the customer representative who delivered the document to the client, that no training had been provided to him, and that no warning had been issued prior to the termination. Accordingly, the Plaintiff Employee requested that the justification be rectified to “Code 04,” signifying the termination of an indefinite-term employment contract by the employer without a valid reason.

The Defendant Employer asserted that the plaintiff was at fault, that necessary training had been provided, that the Employee had signed a declaration of commitment on the protection of personal data, that the necessary warnings regarding the protection of personal data had been issued, and that the violation of the Law was evident. On the other hand, the SSI stated that the termination code could only be amended upon the employer's application and that the legal action brought against it was procedurally invalid due to lack of legal standing.

3. Evaluations of the Courts

The First Instance Court reviewing the case determined that there was no evidence in the case file showing that the Plaintiff had previously been warned or that he insisted on not performing his duties despite being reminded, and that the termination of the employment contract was based on an erroneous action of the Plaintiff. Consequently, it ruled that the SSI termination code should be rectified to “Code 04,” which stands for “termination of an indefinite-term employment contract by the employer without a valid reason.” However, the lawsuit against the SSI was dismissed on the grounds that it lacked passive legal capacity to be sued.

The 30th Civil Chamber of the Ankara Regional Court of Appeals (“Regional Court of Appeals”) dismissed the appeals of the Claimant Employee and the Defendant Employer, considering that the employer failed to prove that the claimant intentionally sent the account statement of another customer due to an erroneous transaction within the scope of his duty and insisted on this issue, that the termination was not based on a valid reason and that it was appropriate to determine that the termination code was unlawful.

Upon review of the Regional Court of Appeals decision, the 9th Chamber, with its decision dated 20.01.2025 and numbered 2024/13450 E. and 2025/700 K., found the decision of the Regional Court of Justice to be procedurally and substantively appropriate and concluded that the allegations raised in the appeal petition were not of a nature that would annul the decision.

4. Conclusion

The Decision analyzed in this study, rendered following the termination of an employee due to an error leading to a personal data breach, serves as guidance particularly in terms of the erroneous actions committed by employees in the context of compliance with legislation and the termination procedures. In this regard, factors such as the intentional nature of the employee’s wrongful acts during the relevant process, whether the employee was warned, whether the employee insisted on not performing duties he/she was reminded of, and whether the employer fulfilled its obligation to warn are of significant importance.