The Law No. 6698 on the Protection of Personal Data ("DP Law") requires data controllers to take adequate measures, as determined by the Personal Data Protection Board ("Board"), for processing special categories of personal data. These are defined by legislation as data concerning racial or ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and clothing, association, foundation or trade-union membership, health or sex life, and criminal conviction and security measures that a person may be subject to, along with their biometric and genetic information. Even though the DP Law was enacted on April 7, 2016, these "adequate measures" that data controllers are required to implement were not determined or specified by the Board for the past two years.
On March 7, 2018, the Board's decision (No. 2018/10) on these adequate measures was finally published in the Official Gazette. The Board indicated in its decision that data controllers should determine a separate, systematic, and manageable procedure with definite rules for the protection of special categories of personal data.
The decision also requires data controllers (i) to take certain measures regarding its personnel who deal with special categories of personal data, such as providing them with periodic trainings on the legislation, requiring them to sign non-disclosure agreements and determining the scope and limits of their authorizations, checking their authorizations periodically, ensuring the return of inventory that was furnished to authorized personnel after a change of their position/duty or at the end of their employment, and (ii) to adopt certain security measures for safeguarding such data in physical and electronic environments. The decision also provides specific procedures that must be followed by data controllers for the transfer of special categories of personal data.
As for the security measures to be implemented by data controllers, the decision states that if the special categories of personal data are kept, processed and/or accessed in an electronic medium, then the data should be secured by using cryptographic methods and cryptographic keys, and should kept safely and in different mediums. The decision also specifies that all transaction records regarding such data must be logged in a secure environment. Thus, the security updates of the data medium should be continuously monitored, the necessary security tests should be regularly undertaken, and the results of these tests should be recorded as well. Moreover, if such data is accessed through software, users of such software should receive prior authorization and, once again, the necessary security tests should be performed regularly and the results of these tests should be recorded. If remote access is required for this type of data, a two-step verification system should be provided (at a minimum).
According to the Board's decision, if the special categories of personal data are kept, processed and/or accessed in a physical medium, then the data controller must ensure that the necessary security measures are taken in the event of electrical leakage, fire, flood or theft, and in order to prevent unauthorized entry and exit, the physical safety and security of these environments must also be ensured.
If the special categories of personal data will be transferred, the following requirements should be satisfied:
- If transferred via e-mail, such data should be transferred by using the corporate e-mail account or a registered electronic mail address (Kayıtlı Elektronik Posta or "KEP" in Turkish),
- If transferred via a memory stick, CD or DVD, it should be coded by using cryptographic methods and the cryptographic keys should be kept securely and in separate environments,
- If transferred between servers in separate physical locations, the data should be transferred by installing a virtual private network ("VPN") between servers or by using the secure file transfer protocol ("SFTP") method.
- If the special categories of personal data will be transferred on paper, necessary and appropriate measures should be taken in order to prevent the risks of theft, loss or observation by unauthorized persons, and the paper should be sent in the "classified document" format.
Lastly, the Board's decision states that, in addition to the obligations above, the technical and administrative measures that are published on the Board's website and recommended by the Personal Data Security Guidelines should also be taken into account whilst taking the foregoing adequate measures.
The adequate measures that need to be implemented by data controllers in order to process special categories of personal data are now clearly listed by the Board in this decision. Data controllers should abide by these requirements and take all the necessary measures and precautions set forth by the Board to ensure compliance with the DP Law when processing and transferring special categories of personal data.
This article was first published in Legal Insights Quarterly by ELIG Gürkaynak Attorneys-at-Law in June 2018. A link to the full Legal Insight Quarterly may be found here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.