October 15 2021

Turkish DPA publishes guideline on biometric data

Özdağıstanli Ekici Attorney Partnership | Tech, Data, Telecoms & Media - Turkey

Burak Özdağıstanli, Bensu Özdemir, Cennet Sümeyye Uçar

What is biometric data?
Biometric data processing principles
Biometric data security


On 17 September 2021 the Turkish Personal Data Protection Authority (DPA) published the Guideline on Matters to be Considered When Processing Biometric Data. The guideline emphasises the purpose and importance of the Law on the Protection of Personal Data (DPL) in accordance with the framework of the fundamental rights and freedoms of individuals, especially the "privacy of private life". The guideline also outlines the scope of special categories of personal data and define "biometric data".

What is biometric data?

The guideline's definition of "biometric data" refers to the EU General Data Protection Regulation. In this respect, data must meet the following conditions to be considered as biometric data:

  • distinctive features of the individual (eg, physiological, physical or behavioural characteristics) should be ascertained from the data processing; and
  • the ascertained features must be personal data that serve to identify the individual or verify the individual's identity.

Within the scope of these criteria, the DPA has defined "biometric data" as data that:

  • a person cannot forget;
  • generally does not change over the course of a person's lifetime; and
  • can be obtained effortlessly without the need for any intervention.

Through the use of biometric data, it becomes easy to distinguish individuals from each other and the possibility of confusion is almost completely eliminated.

In this context, biometric data is divided into two categories: physiological and behavioural data. Examples of physiological data include a person's fingerprint, retina, palm, face, hand shape or iris; examples of behavioural data include a person's walking style, the way in which a person presses a computer keyboard and a person's driving style.

In the guideline, by referring to its previous decisions, the DPA states that each case must be evaluated individually. In order to make sure that the guideline is useful, the DPA examines biometric data processing principles and biometric data security in detail.

Biometric data processing principles

Data controllers can process biometric data in accordance with the general principles set out in article 4 and the conditions set out in article 6 of the DPL, but they should comply with the following principles:

  • Biometric data processing activities are subject to the fundamental rights and freedoms regime and should not violate the essence of fundamental rights and freedoms.
  • The method used must be suitable for achieving the purpose of processing, and the data processing activity must be suitable for the purpose.
  • The biometric data processing method must be necessary for reaching the objective. Biometric data processing must be mandatory and necessary. If there is a less intrusive way to achieve such purpose, the processing would be deemed to be unnecessary.
  • In each case, proportionality must be evaluated. "Proportionality" is choosing the most suitable means of processing if there are more than one means.
  • Data should be kept for only as long as necessary. After the necessity ceases, data must be destroyed without delay.
  • Data controllers are required to fulfil their obligation to inform data subjects of the purpose of processing in accordance with article 10 of the DPL.
  • If explicit consent is required, the explicit consent of the data subjects must be obtained in accordance with the DPL. According to the DPL, consent must be an "explicit/active declaration of intent" and must be:
    • relevant to the particular subject for which the data is processed;
    • informed;
    • freely given; and
    • not be presented as a prerequisite for the provision of a service.

The DPA recommends documenting compliance with these issues. Further, the DPA states that choosing the right kind of biometric data is also important and that the reasons behind choosing a specific biometric data type over others must be documented. Lastly, the DPA states that while collecting biometric data, genetic data should not be collected unless strictly necessary.

Biometric data security

In addition to these principles, the DPA outlines organisational and technical measures to ensure the security of biometric data in the guideline. In this regard, it is stated that the measures that are specified in the DPA's Adequate Measures to be taken by Data Controllers in the Processing of Sensitive Personal Data (Decision No. 2018/10 and dated 31 January 2018) must be taken. The guideline also sets out additional measures that are specific for the processing of biometric data.

Technical measures
The technical measures set out by the guideline are as follows:

  • Biometric data should be stored in cloud systems only using cryptographic methods. The encryption and key management policy should be clearly defined.
  • Derived biometric data should be stored in a way that does not allow the recovery of the original biometric feature.
  • Before installing the system and after any changes, the data controller should test the system through synthetic data (ie, data that is not real) in a test environment.
  • Measures that warn the system administrator against unauthorised access and/or report and delete biometric data should be implemented.
  • Data controllers should use certified equipment and licensed and up-to-date (preferably open-source) software in the system and make the necessary updates to the system in a timely manner.
  • The lifetime of devices that process biometric data should be monitored.
  • The data controller should be able to monitor and limit user actions on the software.
  • Hardware and software tests of the biometric data system should be carried out periodically.

Organisational measures
The organisational measures set out by the guideline are as follows:

  • An alternative system should be provided for individuals who do not use the biometric solution (eg, individuals who have a disability that makes it difficult to use, or where it is impossible to save or read biometric data).
  • An action plan should be established in case of a failure to authenticate with biometric methods.
  • An access mechanism to biometric data systems for authorised persons should be established and managed, and those responsible should be identified and documented.
  • Relevant personnel must be trained and the training must be documented.
  • A formal reporting procedure should be established in order to report possible security vulnerabilities and threats that may arise as a result of such vulnerabilities.
  • An emergency procedure to be implemented in the event of a data breach should be established and announced.

For further information on this topic please contact Burak Özdağıstanli, Sümeyye Uçar or Bensu Özdemir at Özdağıstanli Ekici Attorney Partnership by telephone (+90 216 230 07 48) or email ([email protected], [email protected] or [email protected]). The Özdağıstanli Ekici Attorney Partnership website can be accessed at www.ozdagistanliekici.com/.