Founder
July 15, 2026
21 min read
Using data obtained from learning management systems (LMS) in performance assessment is not categorically prohibited. The real issue is the legal distinction between “tracking training completion” and “turning learning behaviour into a performance score”: the former is often defensible where the purpose is narrow and the legal basis is sound; the latter brings purpose creep, breaches of proportionality, automated-decision risk and evidentiary invalidity into play.
Unlike “emergency remote teaching” — the improvised effort to keep instruction going with whatever tools are available in a crisis — planned distance education is delivered through systematic activities within a lifelong-learning framework. University UZEMs and corporate HR units manage that process through platforms such as Moodle, Canvas and SAP SuccessFactors Learning. The same technical infrastructure may carry both student coursework and staff compliance, occupational-safety or ethics training. The problem begins when the platform ceases to be a training-management tool and starts, invisibly, to produce a behavioural profile of the employee or staff member.
“Stealth monitoring” means tracking the learning flow through background records of which the employee is not fully aware. Once data such as “How many minutes did they take to finish the assigned training?”, “At which module did they pause?”, or “Which option did they choose in the ethics scenario?” are bridged to personnel outcomes such as promotion, bonuses, discipline or dismissal, legal controversy becomes inevitable. The employer’s or institution’s proprietary rights over the system do not confer unlimited discretion over the records obtained; those records are often personal data in their own right, and in some cases special-category personal data.
This article sets out the limits on using LMS data in performance assessment in corporate and university settings, under the KVKK, employment law, the Turkish Code of Obligations (TBK) and high-court case law — as a readable synthesis for UZEM administrators, legal departments and compliance teams.
Not every record an LMS produces carries the same legal weight. The distinction between completion and certification data on the one hand, and click depth, time-on-page or algorithmic labelling on the other, forms the backbone of any compliance programme.
Stealth monitoring, unlike visible camera or clock-in systems, is the detailed and continuous background recording of every interaction the employee has with the system. In corporate LMS environments this appears as analytics modules left on by default, behavioural scores pushed automatically into HR systems, or the generation of a “learning profile” that has never been clearly communicated to the employee.
By contrast, checking whether mandatory training has been completed, retaining pass/fail examination information, or keeping certificate records for audit purposes — with appropriate notice and purpose limitation — will in many cases fall into a different legal category. The question is not “May LMS data be collected?” but which data are processed, for which purpose, on which legal basis, and with how much visibility.
University UZEMs need an additional caveat: even where student data and staff/employee data sit on the same platform, they remain subject to two different data subjects. Mixing student analytics with staff-performance analytics in a single data pool creates serious risk under both the KVKK and institutional governance.
Moodle course and activity logs; Canvas “page view” and “participation” analytics; SAP SuccessFactors Learning completion status and mastery-score records — all are functional for training management. Yet Canvas’s own documentation states that page-view data are only an approximate activity indicator and should not be treated as an absolute measure. That technical limitation holds in the legal assessment as well: an LMS metric cannot be treated as a reliable proxy for job performance.
LMS data should be read across four risk tiers:
Compliance (low–medium risk): Completion, certificates, pass/fail, assignment date. Typical purpose: discharging a legal or institutional obligation.
Interaction (medium risk): Session duration, module access, login/logout logs. Typical purpose: training management and reminders.
Behavioural (high risk): Time-on-page (dwell time), click depth, late-night access. Typical purpose: performance scoring or measuring “engagement.”
Inferential (very high risk): Labels such as “ethics risk,” “focus problem,” or “low leadership potential.” Typical purpose: feeding promotion, discipline or dismissal decisions.
The traffic / content / inference distinction settled in ECtHR case law should be read in parallel with this layering. Whether someone logged into the system is traffic data; hesitation time inside a module, or which option was selected, is content and behavioural data; the label an algorithm derives from those inputs is inferential data. Traffic data may be processed for a narrow purpose; when content and inference data are tied to a performance decision, the proportionality test applies far more stringently.
Under Turkish law, the first threshold is not whether an LMS record counts as personal data; it almost always does. The “the system is ours” defence does not displace the purpose-limitation, proportionality and notice obligations in KVKK Art. 4.
Law No. 6698 on the Protection of Personal Data (KVKK) treats as personal data any information relating to an identified or identifiable natural person. Click records matched to a user identity, session durations, examination results, completion information and meta-data such as IP address or device type all fall within that definition. KVKK Art. 4 mandatorily requires lawfulness, fairness, a specific–explicit–legitimate purpose, limitation and proportionality, and retention only for as long as necessary.
Labour Law Art. 75 requires the employer to use information obtained about the employee in accordance with the rules of good faith and the law, and not to disclose information in whose confidentiality the employee has a legitimate interest. TBK Art. 417 expressly regulates the employer’s duty to protect the employee’s personality. Read together, these provisions mean that the mere fact of having obtained LMS data does not convert them into unlimited assessment data.
Employers often place a “Notice and Explicit Consent Text” at LMS login. Yet the employment relationship involves economic and practical dependence; whether consent obtained from an employee who must enter the platform to complete mandatory training is given of “free will” is contested. In its principle decision No. 2026/921, the KVKK Board likewise recognised that the power imbalance in the employment relationship creates serious doubt as to explicit consent. WP29/EDPB opinions in the EU draw the same line: in the employment context, consent is often not a valid legal basis.
Accordingly, the primary bases for LMS data should, under KVKK Art. 5/2, be performance of a contract, legal obligation and legitimate interest. Assigning mandatory regulatory training, retaining completion information and keeping it ready for audit can in many cases be tied to a legal obligation or to performance of a contract. Legitimate interest may arise for monitoring training effectiveness or preventing gaps in compliance training; it must, however, pass the tests of not harming fundamental rights and of proportionality.
Legitimate interest is not a blank cheque that legitimises every processing operation. In its decision No. 2023/789, the KVKK Board held that continuous monitoring of employee screens may interfere with private life; in decision No. 2024/1512 it held that “activity monitoring” software installed on a computer cannot rely on the legitimate-interest exception. Analysing every click, waiting time and behavioural pattern on an LMS is, in light of those decisions, in the nature of “activity monitoring” and is a weak basis for performance scoring.
Narrow data close to the purpose — completion, pass/fail, mandatory certification — are more defensible; behavioural traces such as click intensity, time-on-page or late-night access are risky bases for a performance decision.
Within this framework the following provisions lead to these conclusions:
KVKK Art. 4: The purpose must be specific, explicit and legitimate; data must be processed proportionately.
KVKK Art. 5: A statutory basis other than consent must be sought.
KVKK Arts. 10–12: Notice and security measures are mandatory.
KVKK Art. 11/g: Confers a right to object to exclusively automated analysis.
Labour Law Art. 75: A personnel file does not create an unlimited right of use.
TBK Art. 417: Mandates the duty to protect personality and to maintain an honest workplace order.
Under KVKK Art. 6, data concerning health, biometrics, political opinion, philosophical belief and similar matters are special-category personal data. The 2024 amendment expanded the Art. 6 regime; that does not, however, mean unlimited processing.
In interactive scenario training such as “Workplace Ethics,” “Combating Discrimination” or “Preventing Sexual Harassment,” reporting an employee’s chosen options to HR as a “risk profile” carries the risk of indirectly processing philosophical belief, psychological state or health data. For example, selecting an option in a whistleblowing scenario that does not fully align with institutional policy but reflects the employee’s conscientious preference — and having that choice reflected in a performance file — both undermines the pedagogical safety of the training process and creates serious data-protection risk. Where biometric exam proctoring (facial recognition, proctoring) is involved, the threshold rises further; the KVKK Board’s decision No. 2022/797 likewise highlighted the need to consider alternative methods. Even where staff training and student examination security are pursued for different purposes in university UZEMs, the cross-use of biometric or behavioural data collected on the same platform is especially objectionable.
In its decision on institutional e-mail monitoring (E.Ü., App. No. 2016/13010, 17.09.2020), the Constitutional Court stressed that the employer’s monitoring power is not unlimited; it required prior clear information, a legitimate ground, an assessment of whether less intrusive alternatives exist, and an evaluation of the scope of the interference. That logic applies directly to an LMS:
Prior notice: The employee must know which data are collected and for which purpose.
Less intrusive means: Where a completion record would suffice and behavioural analytics are not necessary, the latter should not be preferred.
Scope: Content/behavioural data must be kept narrower than traffic data.
Weight of the outcome: Heavy outcomes such as promotion or dismissal tighten the proportionality test.
In Bărbulescu v. Romania, the European Court of Human Rights emphasised prior notice and a balancing test; in López Ribalda v. Spain it held that covert surveillance is accepted only exceptionally — where it is targeted, short-term and strongly justified. The lesson for the LMS context is clear: covert and continuous behavioural scoring is the exception, not the rule.
Where data-protection rules are breached, the risk need not stop at administrative sanctions. If an LMS metric is to ground a performance or dismissal decision, the criterion must have been notified in advance and the alleged underperformance must be proved as continuous and objective; records accumulated silently may fail both as evidence and as a valid ground for dismissal.
Labour Law Art. 75 permits a personnel file to be kept; yet information obtained must be used in accordance with the rules of good faith. TBK Art. 417 places on the employer a duty to protect the employee’s personality and to prevent psychological harassment.
Learning, by its nature, is open to error, hesitation and development. The perception that an LMS platform offered by the institution is quietly keeping a performance file creates loss of trust and learning anxiety among employees. The training space should be a safe zone that allows trial and error without fear of being judged; systematic and invisible scoring breaches the duty of honest workplace order under TBK Art. 417.
Under Occupational Health and Safety Law No. 6331, the employer must protect not only the employee’s physical health but also their psychological health. Surveillance stress — especially where LMS analytics are searched retrospectively during performance periods — may be assessed as an occupational risk factor. Moreover, LMS algorithms may generate standard metrics without regard to age, technological literacy or neurodiversity; treating employees in the same department differently may undermine the duty of equal treatment (in light of the good-faith rule in Turkish Civil Code Art. 2).
Under Labour Law Art. 18, in workplaces employing thirty or more workers, the indefinite-term contract of a worker with at least six months’ seniority may be terminated only for a valid reason. Poor performance and reduced productivity are among the valid reasons based on competence; yet under Court of Cassation (Yargıtay) practice, a bare allegation of reduced productivity is not enough.
First, performance criteria must be objective, realistic and reasonable, and must have been notified to the worker in advance. If how many minutes an employee took to finish a course on the LMS, or an examination grade, was never announced as an objective rule at the start of the year or before the training, it cannot ground dismissal. Data accumulated in the background through stealth monitoring cannot pass this test.
Second, the underperformance must be continuous. Failure in a training module entered after an intensive working day is not, on its own, enough for a “weak performance” label.
Third, the employer must prove that it provided training and improvement opportunities consistent with its high-performance expectations. The LMS itself is a tool for delivering training; dismissing an employee who struggles in training on the basis of the same data contradicts legal logic. Dismissal must be the ultima ratio (last resort); under Art. 19 the right to defend oneself must be afforded. A report produced by an algorithm cannot, on its own, be a dismissal document.
Recent Court of Cassation case law has tightened markedly around workplace surveillance. The 9th Civil Chamber of the Court of Cassation (2024/9802 E., 2025/3341 K.) treated continuous monitoring of employee screens as a violation of private life and held that data obtained that way cannot ground disciplinary sanctions. The 22nd Civil Chamber (2024/6534 E., 2025/2145 K.) rejected a legitimate-interest defence to monitoring of communications traffic without prior consent or adequate notice. In earlier decisions of that Chamber, keyloggers and background tracking software secretly installed on computers were also found unlawful and the data obtained were held invalid. Enabling LMS analytics modules without clearly informing the employee is open to assessment along the same line of authority.
Under the mandatory rule in Code of Civil Procedure (HMK) Art. 189/2, evidence obtained by unlawful means may not be taken into account by the courts. Records collected in the background without first notifying the employee clearly and understandably that LMS behavioural data would be used in performance assessment may be treated as “unlawful evidence” in an employment dispute. That may lead to the dismissal being held unfair, with reinstatement and compensation consequences.
International regimes differ in detail but converge on a common core: in workplace monitoring, transparency is the default; covert and continuous surveillance is a narrow exception.
GDPR Art. 22 protects against decisions based solely on automated processing (including profiling) that produce legal effects concerning the person or similarly significant effects. An LMS algorithm producing a “not eligible for promotion” profile from training speed and interaction data and feeding that into the HR system without human intervention carries a risk of breaching GDPR Art. 22. Under GDPR Art. 35, high-risk processing requires a data protection impact assessment (DPIA); systematic employee monitoring falls within that scope.
Comparatively, the common trend is that transparency is the default and covert surveillance the exception:
EU (GDPR): Purpose limitation, data minimisation and DPIA are prominent; Art. 22 limits automated decisions.
United Kingdom (ICO): Transparent monitoring is the default; covert monitoring must be kept narrow and justified.
Australia (NSW): Written notice at least 14 days before monitoring is required; covert monitoring may engage criminal law.
United States (selected states): Connecticut, Delaware and New York require notice of electronic monitoring; the EEOC and NLRB have warned on discrimination and labour rights in algorithmic management.
Canada (PIPEDA): Meaningful notice is required; in Ontario, employers with 25+ employees must publish a written electronic-monitoring policy.
In Türkiye’s ongoing KVKK revision work — still at the level of draft / expectation, not settled legislation — data impact assessments (VEA), prior information, employee representation and limited retention periods for digital performance monitoring are on the agenda. Building a three-ring compliance model and impact-assessment processes today would be sound preparation for possible legislative change.
The most defensible corporate-compliance approach is to split LMS data into three rings by purpose. That split turns the KVKK proportionality principle and the Constitutional Court’s “least intrusive means” test into operational practice.
Assignment, completion, pass/fail, certificate date. These data rest on a firmer footing through legal obligation, performance of a contract or audit need. Even in performance decisions — with objective criteria notified in advance — limited and documented use is possible.
Improving content quality, module-difficulty analysis, overall completion rates. Processing should, so far as possible, be anonymised or aggregated; it must not be turned into individual profiling.
Click patterns, time-on-screen, work rhythm, late-night access, device use. This is the most problematic ring. It should not be a decisive input for promotion, pay, discipline or dismissal; if it is used, an open policy, an impact assessment, human review and an objection mechanism are mandatory.
How the model works: LMS data arise → data type is classified → purpose and legal-basis tests are applied → notice and access rights are defined → human-supervised assessment is carried out → a decision record and objection channel are opened → on expiry of the retention period, deletion or anonymisation is performed.
For SMEs and mid-sized organisations, analytics modules should be kept off by default; progress should be limited to a minimal data set such as completion, deadlines, pass grades and certificate issuance. For large organisations and universities, a joint L&D–HR–Legal–Information Security committee, boundaries on algorithmic scoring and periodic model audits are required.
The summary below sets out typical risk areas and preventive measures:
Purpose creep: Risks a KVKK breach and contested evidence. Prevention: separate training management from performance management at data-set level.
Monitoring without notice: May lead to administrative sanctions and claims of rights violations. Prevention: layered notice at onboarding and at first LMS use.
Disproportionate data collection: Breaches proportionality. Prevention: use aggregated analysis rather than clickstreams; keep individual analytics exceptional.
Automated decisions: Create objection and fair-process risk. Prevention: require human review; define score explanation and an objection channel.
Excessively long retention: Risks under the KVKK and Turkish Penal Code (TCK) Art. 138. Prevention: separate raw logs from mandatory training records; apply a deletion calendar.
The typical contract architecture of providers such as Instructure (Canvas), Moodle and SAP positions the institution as controller and the provider as processor. A Data Processing Agreement (DPA), sub-processors and cross-border transfer safeguards form part of the contract. A SaaS contract does not, however, relieve the institution of responsibility: establishing the legal basis, giving notice, setting retention periods and managing data-subject rights remain the controller’s duties.
In practice, the safe path runs through minimal data collection, an open policy, three-ring separation, short retention, human oversight and an objection mechanism. The questions below make that framework usable in internal audits.
Within the YÖKAK distance-education quality-assurance framework, ethics, information security and monitoring/improvement mechanisms are emphasised as institutional responsibilities. UZEM administrators should read that framework by clarifying, at policy level, the boundary between “learning analytics” and “staff-performance surveillance.” Keeping student-success analytics within pedagogical purpose, while silently transferring staff LMS data into HR metrics, creates misalignment for both quality assurance and data protection.
The list below may be used as “pass / remove / change” questions when configuring UZEM and corporate LMS environments:
Are behavioural analytics modules off by default?
Are student and staff data sets separated technically and contractually?
Does the notice state clearly in writing that LMS data will not be used alone for performance/disciplinary decisions?
Is an automated score or label not linked to an HR decision without human review?
Have LMS metrics to be used as performance criteria been notified to the employee in advance?
Are separate retention periods defined for raw logs and for legally required training-completion records?
Have transfer safeguards and a DPA been completed for SaaS hosted abroad?
Have alternative methods to biometric proctoring been assessed and documented?
Are responses from ethics/compliance scenario training not transferred into a performance profile?
Are the data inventory, deletion calendar and access-permission matrix up to date?
Has an impact assessment (VEA/DPIA-like) been carried out for high-risk processing?
Have employee or student representatives been informed about the monitoring/analytics policy?
The institution divides LMS data into three categories: mandatory compliance data; anonymised/aggregated learning-design data; and exceptional behavioural-analytics data. Behavioural analytics are not processed on an individual basis without an open policy and legal-unit approval. Indirect indicators such as “number of clicks,” “time-on-page” or “late-night login” cannot, on their own, ground an adverse employment outcome. No decision on promotion, pay, discipline or dismissal is taken about any employee solely on the basis of automated system output. Raw logs are retained for a short period; mandatory training records are kept only for as long as legally and operationally necessary.
Using data obtained from corporate and university LMS platforms in performance assessment is not automatically prohibited as a matter of law; yet the legitimacy of that use is tightly bound to the type of data, the purpose, the legal basis and transparency. The main lines of the article may be summarised as follows:
Completion tracking and behavioural scoring are distinct legal regimes. The former is defensible with a narrow purpose and a suitable basis; the latter risks purpose creep and breaches of proportionality.
Consent cannot be the primary basis in the employment relationship. Legitimate interest must pass a balancing test; LMS analytics in the nature of activity monitoring will often fail that test.
Prior notice is required for performance, discipline and dismissal. LMS data accumulated silently may not constitute a valid ground for dismissal or admissible evidence (HMK Art. 189/2).
Automated profiling cannot be used without human oversight and an objection channel (KVKK Art. 11/g; GDPR Art. 22).
The safe formula for UZEMs and institutions: minimal data + open policy + three-ring separation + short retention + human oversight + an objection mechanism.
An LMS is primarily for managing education — not for measuring performance in secret. Feeding raw event data into a personnel assessment system while less intrusive alternatives exist carries high risk under Turkish law. Until the conversion of training data into HR data sheds its “silent” and “covert” character and is rebuilt around transparency, proportionality and purpose limitation, the big data obtained may turn into hard-to-remedy compensation claims and administrative sanctions.
Law No. 6698 on the Protection of Personal Data (KVKK)
Labour Law No. 4857 (Arts. 75, 18, 19)
Turkish Code of Obligations No. 6098 (Art. 417)
Code of Civil Procedure No. 6100 (Art. 189/2)
Turkish Penal Code No. 5237 (Arts. 134–138)
KVKK Board, decision No. 2020/404
KVKK Board, decision No. 2022/797
KVKK Board, decision No. 2023/789
KVKK Board, decision No. 2024/1512
KVKK Board, principle decision No. 2026/921
Constitutional Court, E.Ü. application, App. No. 2016/13010, 17.09.2020
ECtHR, Bărbulescu v. Romania, App. No. 61496/08, 5 September 2017
ECtHR, López Ribalda v. Spain
GDPR (Regulation (EU) 2016/679), Arts. 5, 6, 13, 22, 35
WP29 Opinion 2/2017 (Processing of personal data at work)
Court of Cassation (Yargıtay), 9th Civil Chamber, 2024/9802 E., 2025/3341 K.
Court of Cassation (Yargıtay), 22nd Civil Chamber, 2024/6534 E., 2025/2145 K.
KVKK, Guide on Fulfilment of the Obligation to Inform
KVKK, Guide on Processing of Special Categories of Personal Data
Moodle Logs/Logging; Canvas Analytics documentation (Instructure)
For legal counsel on IT law, UZEM compliance and KVKK matters, you may contact Genesis Hukuk.