The Personal Data Protection Board1 (“Board”) published a decision numbered 30353 and dated 7 March 2018 on the official gazette regarding “The Adequate Measures that Need to be Taken by Data Controllers that Process Special Categories of Personal Data” (“Measures”) (Decision No: 2018/10, dated 31 January 2018).
The Board has determined the adequate measures that need to be taken by the data controllers when processing special categories of personal data.
Special categories of personal data, as defined in Article 6 of the Data Protection Law, is "[personal data] relating to racial or ethnic origin, political opinions, philosophical beliefs, religion, sectarian views or other beliefs, appearances and clothes, association, foundation or trade-union membership, health conditions, sexual life, criminal convictions and security measures, and biometric and genetic information."
As per the Board decision, in order to take the adequate security measures, data controllers must procure the following:
1. The issuing of a separate policy and procedure which is sustainable, manageable, systematic and that is governed by clear rules for the protection of personal data.
2. Addressing the employees who participate in the processing of special categories of personal data; in this respect, the following measures must be taken:
a. The laws and regulations related to periodical training regarding the security of special categories of personal data must be followed;
b. Confidentiality contracts must be concluded;
c. The scope of authorization and the time period of such authorization in respect of users who have the ability to access personal data, must be clearly determined;
d. Authorization controls shall be made periodically; and
e. Prompt de-authorization of those employees that are internally re-allocated or those who leave their jobs.
3. If the special categories of personal data are processed, stored and/or accessed electronically, the following measures must be taken:
a. The data must be stored through cryptographic means;
b. The cryptographic keys must be kept in separate and safe locations;
c. The records of all actions taken related to these data must be logged safely;
d. The security updates related to a venue where the data is located must be followed up continuously, security tests that are necessary must be conducted periodically (either by the data controller or by third parties contracted), and the test results must be recorded;
e. If access to data is made through software, the user authorizations related to this software must be made, this software must be held subject to security tests periodically (either by the data controller himself or by third parties contracted), and the test results must be recorded; and
f. If remote access is necessary, a dual ID confirmation system must be established.
4. If the special categories of personal data are processed, stored and/or accessed physically, the following measures must be taken:
a. It must be ensured that the physical venue where personal data is located has been equipped with adequate security measures (electrical leakage, fire, flood, theft, etc.);
b. These venues must be physically secured and unauthorized entrance must be prevented.
5. If the special categories of personal data are to be transmitted, the following measures must be taken:
a. Either corporate e-mail addresses or Registered Electronic Mail (KEP) address must be utilized if the transmission is to be made through e-mail;
b. If the transmission is to be made through the use of flash drives, CDs, or DVDs, the data shall be encrypted by cryptographic means and the cryptographic key must be located in a respective venue;
c. If the transmission is made between two respective physical venues, a VPN must be established between servers or the transmission must be made by the sFTP method; and
d. If the transmission is to be made through an exchange of printed documents, measures must be taken in order to prevent theft, loss, or disclosure to unauthorized persons and the document shall be sent after being classified based on their “levels of confidentiality”.
The Measures must be applied with the technical and administrative safeguards that are published in the Personal Data Protection Guide (pls. see the link - currently available only in Turkish) by the organizations who control sensitive data, in order to have a full compliance.
Finally, the Board has the authority to impose monetary penalties between TRY 15,000 (fifteen thousand Turkish Liras) to TRY 1,000,000 (one million Turkish Liras) with respect to any non-compliance with the data security obligations.