The Turkish Personal Data Protection Authority (DPA) published its Guideline on Processing Biometric Data (“Guideline“) on 17 September 2021. The Guideline initially defines biometric data and sets forth principles in relation to processing biometric data. The Turkish version available is here.
What Does the Guideline Say?
The Guideline first defines biometric data in light of the definitions set out under judicial decisions and the European Union General Data Protection Regulation. Based on these definitions, biometric data is defined as physical or behavioral characteristics that are personal, unique and one of a kind. The DPA states that biometric data is data that (i) cannot be forgotten, (ii) remains the same for a lifetime and (iii) is owned without intervention. Biometric data facilitates distinguishing individuals and eliminates the possibility of confusion.
The DPA further divides biometric data into two categories: physical and behavioral biometric data. Physical biometric data includes an individual’s fingerprint, retina, palm, face, hand shape and iris; behavioral biometric data includes an individual’s walking style, typing style, driving style, etc.
The DPA states that biometric data is considered sensitive personal data under Article 6 of the Personal Data Protection Law (“Law“) and is subject to the processing conditions of sensitive personal data. Pursuant to Article 6(3) of the Law, personal data other than health and sex life data may be processed without the explicit consent of the data subject if the processing is expressly laid down in the laws. The DPA states that if the processing of biometric data is expressly stipulated under other laws, such provisions will be applicable. Furthermore, the DPA underlines that the processing of biometric data should be carried out in accordance with the general principles set forth under Article 4 of the Law. In addition to these general principles, the DPA points out that case-by-case evaluations should be made in the processing of personal data, referring to its summary decisions dated 25 March 2019 numbered 2019/81 and 31 May 2019 numbered 2019/165 on biometric data.
The principles to be followed in the processing of biometric data in accordance with the Guideline are as follows:
- The data controller must process biometric data in accordance with Article 4 and Article 6 of the Law and the following principles set forth in the Guideline:
- Data processing activity must not infringe the essence of fundamental rights and freedoms.
- The method of data processing must be suitable for the purpose of processing and achieving such purpose.
- The method of data processing must be necessary for the purpose to be achieved.
- The purpose and means to be achieved by data processing must be proportionate.
- Biometric data must be retained for as long as necessary, and after the necessity ceases, the data should be destroyed promptly and without delay.
- The obligation to inform must be fulfilled.
- If explicit consent is required, the explicit consent of data subjects must be obtained in accordance with the Law.
- The data controller must keep records and documentation of fulfillment of the principles specified in the Guideline.
- Genetic data must not be obtained unless it is necessary.
- Justification and documentation must be provided for choosing the relevant biometric data type.
- Biometric data must be kept as long as necessary.
The DPA further states that in order to ensure the security of biometric data, the measures stated in its decision on “Adequate Measures to be taken by Data Controllers in the Processing of Sensitive Personal Data” and in the previous guidelines must be taken. In addition to these measures, the Guideline includes additional administrative and technical measures for processing biometric data. The main measures outlined are as follows:
- Biometric data must be stored in cloud systems using cryptographic methods.
- Derived biometric data must be stored in a way that does not allow the recovery of the original biometric feature.
- Biometric data and its templates must be encrypted using cryptographic methods to provide sufficient security.
- Before installing the system and after any updates, the data controller must test the system using synthetic data in test environments.
- The data controller must use certified equipment, and licensed and up-to-date software in the systems.
- The data controller must be able to monitor and limit user actions on software that processes biometric data.
- An alternative system must be provided for data subjects who do not give their explicit consent or when the biometric solution is not being used.
- An action plan must be created for cases where authentication cannot be made by biometric methods.
- A mechanism for authorized persons to access biometric data systems must be established and managed, and the persons responsible for these systems must be identified and documented.
- Training on the processing of biometric data must be provided to the employees, and such training must be documented.
Biometric data contains significant information about data subjects due to its nature. With this Guideline, the DPA aims to ensure the protection and security of biometric data by setting out additional obligations for data controllers in relation to its processing. Data controllers who carry out biometric data processing activities must comply with the principles and measures specified in the Guideline.