Turkish Personal Data Protection Board ("Board") issued a new decision on January 31, 2018 (Decision w.no. 2018/10, "Decision") regarding adequate measures that must be put in place by data controllers that process special categories of personal data. The Decision was published in the Official Gazette w. no. 30353 and entered into force on March 7, 2018.

The definition of special categories of personal data under the Personal Data Protection Law No.6698 ("DPL") is mostly in line with article 9(1) of the GDPR. Accordingly, special categories of personal data is defined under article 6(1) of the DPL as:

"personal data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sex life, convictions and security measures, and the biometric and genetic data".

Article 6(4) of the DPL gives the Board the duty and authority to determine adequate measures that must be put in place by data controllers that process special categories of personal data. Within this context, the Board decided that data controllers must take the following measures if they process special categories of personal data;

  1. Security Policy: A separate security policy and procedures for the protection of special categories of personal data must be defined. The security policy and procedures must be systematic, manageable, and sustainable with rules that are clearly defined.
  2. Measures with respect to employees who process special categories of personal data:

    1. Periodic trainings with respect to the DPL, secondary regulations and security of special categories of personal data must be provided to the employees.
    2. Confidentiality agreement must be signed with the employees.
    3. The scope and duration of access authorization for users who have access to data must be clearly defined.
    4. Periodic access authorization controls must be carried out.
    5. Access authorizations of employees who changed positions or who are no longer working must be revoked immediately. In this scope, data controllers must ensure that inventories assigned to such employees are returned to them.  
  3. Measures with respect to electronic environments: In the event special categories of personal data are processed, kept and/or accessed electronically;

    1. Data must be stored using cryptographic techniques.
    2. Cryptographic keys must be stored in secure and different environments.
    3. Records of all processing of data must be securely logged.
    4. Security updates for the environments where data is stored must be installed regularly, necessary security tests must be conducted periodically and test results must be recorded.
    5. If data is accessed through a software, user access authorizations must be defined and security tests related to the software must be conducted periodically and test results must be recorded.
    6. If remote access to data is necessary, minimum two-factor identity authentication system must be adopted.
  4. Measures with respect to physical environments: In the event special categories of personal data are processed, kept and/or accessed physically, data controller must;

    1. Ensure adequate security measures (against electrical leakage, fire, flood, theft etc.) are taken depending on the nature of the environment where data is stored,
    2. Ensure the physical security of these environments to prevent unauthorized entry and exit.
  5. Measures with respect to data transfers:

    1. For transfers via e-mail, data must be encrypted and transferred via corporate e-mail address or Registered Electronic Mail account (KEP address).
    2. For transfers via portable memory, CD, DVD, etc., data must be encrypted using cryptographic methods and cryptographic keys must be stored in a different location,
    3. For transfers between servers in different physical environments, a VPN must be set up or sFTP method shall be used.
    4. For hard copy transfers; adequate security measures must be taken against risks such as theft, loss or being seen by unauthorized persons and documents must be sent in "confidentiality classified document" format.
  6. Other Measures: In addition to the foregoing measures, technical and administrative measures to meet the adequate security levels determined under the Personal Data Security Guide published on the official website of the Personal Data Protection Authority must be taken into account by data controllers.

These measures concern all businesses operating in Turkey regardless of their sector, because special categories of personal data is processed by all businesses in one way or another, at least in terms of data concerning employees. In the event these obligations are not complied with, data controllers may be subjected to an administrative fine in the range between 25.000 TRY and 1.000.000 TRY (approx.. 5.500 EUR - 21.500 EUR) under article 18 of the DPL.

The Board has the discretion to impose administrative fines between these limits based on the scope of the incompliance. As the Board was formed recently, there are limited Board decisions to shed light on how the Board will exercise its discretion. Most recently, the Board decided to impose an administrative fine in the amount of TRY 30.000 TRY (approx.. 6.500 EUR) in a case where a bank disclosed six months' bank statements of a litigant to the Court whereas the disclosure was not required. As the Board is keeping a close eye on protection of personal data to ensure the implementation of the DPL, we advise data controllers to closely track Board decisions and commit to implementing Board's guidances.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.