The Turkish Data Protection Board ("Board") has recently issued the Guidance on the Matters to be Taken into Consideration for Processing Biometric Data1 ("Guidance") which was published on Turkish Data Protection Authority's ("DPA") website on September 16, 2021.
In the Guidance, the Board has pointed out that even though biometric data is regulated as one of the special categories of data per Article 6 of the Law No. 6698 on Protection of Personal Data ("DPL"), the concept has not been defined by domestic regulation as of yet. As such, the Board made a reference to the Article 4 of the GDPR, wherein the most comprehensive definition of "biometric data" reads as follows:
Biometric data means personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
The Guidance is divided into two sections: (i) Principles for the processing of biometric data and (ii) administrative and technical measures that should be taken for the security of biometric data.
I. Principles for the Processing of Biometric Data
The Guidance indicates that the data controller may only process biometric data according to the general principles stipulated under the Article 4 of the DPL, and the conditions regulated in the Article 6 of the DPL, in accordance with the following:
(i) The essence of fundamental rights and freedoms should be protected, since the protection of personal data is a fundamental right regulated under the Constitution of the Republic of Turkey.
(ii) The method used in processing must be suitable for achieving the relevant purpose of processing, and the data processing activity should also be suitable for the intended purpose.
(iii) The biometric data processing method must be necessary for the purpose intended to be achieved. In other words, in case there is any alternative way other than processing biometric data, then such process of biometric data will be deemed as unnecessary. The Guide refers to the DPA's decisions2 numbered 2019/81 and 2019/165 regarding the processing of biometric personal data by data controllers operating fitness centers, in tracking the entrances and exits of their members to the facilities. Moreover, the DPA provides an example to highlight the situations in which biometrical data may be deemed necessary. For instance, the Guidance states that processing biometric data might be suitable for controlling access to a nuclear power station, however a more suitable way might be chosen for entry to a fitness center.
(iv) There must a proportion between the tool used and the purpose to be achieved with biometric data processing. In order to proceed with biometric data processing, there should be proportionality between the severity of the intervention and the reasons justifying the intervention. For instance, processing biometric data in a laboratory where research is conducted on dangerous viruses might be considered suitable, and the data subjects' request not to process biometric data will be invalid.
(v) The biometric data must be kept only as long as it is necessary, and should be destroyed without any delay after the necessity disappears.
(vi) The processing activity must be limited in line with the purpose of processing and the data controller's obligation to inform should be fulfilled as per the Article 10 of the DPL.
(vii) If explicit consent is required, this must be obtained from the data subjects in accordance with the DPL. The Guidance states that data subjects should be informed on the consequences of their explicit consent. It is stated that it should not be prerequisite for providing services.
In addition to these principles, the Guidance states that the data controller should record and prove that the foregoing principles are met. In doing so, further principles regarding retention of biometric data are indicated as follows:
(i) Genetic data (blood, saliva, etc.) should not be taken along with the biometric data, if there is no requirement to do so.
(ii) In the selection of the type or types of biometrics (iris, fingerprint, vascular network of the hand, etc.), reasoning and documentation should be provided as to why the preferred type or types of biometric data were chosen over others.
(iii) The maximum period for processing of personal data should be determined. This period could be based on the legislation, and also may be determined by the data controller, yet all variants of the biometric feature (raw data and derived records, etc.) must be processed only for the required time; the reasons for how long the relevant data will be kept, should be explained by the data controller in the personal data retention and destruction policy.
II. The Administrative and Technical Measures for Biometric Data Security
According to the Guidance, data controllers processing biometric data should pay attention to the issues related to personal data security contained in laws, regulations, communiqués and board decisions. In this regard, in processing special categories of personal data; it is required to take the measures specified in the DPA's decision3 on "Adequate Measures to be Taken by Data Controllers in the Processing of Special Categories of Personal Data" dated 01/31/2018 and numbered 2018/10. Furthermore, appropriate measures should be taken into account in the guidance documents prepared by the Personal Data Protection Authority in order to guide data controllers.
In addition to the data security measures in the foregoing legislation and guides, data controllers should also take the following measures regarding biometric data processing:
(i) Technical Measures
-Biometric data should only be stored in cloud systems by using cryptographic methods.
-Derived biometric data should be stored in a way that does not allow the recovery of the original biometric feature.
-Biometric data and its templates should be encrypted in accordance with the current technology, with cryptographic methods that will provide adequate security. Encryption and key management policy should be clearly defined
-Before installing the system and after any changes, the data controller should test the system through synthetic (not real) data.
-During the test, data controller should limit the use of biometric data to the necessary ones. All data should be deleted at the end of the tests.
-The data controller should implement measures that warn the system administrator and/or delete and report biometric data in case of unauthorized access to the system.
-The data controller should use certified equipment, licensed and up-to-date software in the system, prefer open source software primarily and make the necessary updates in the system on time.
-The lifetime of devices that process biometric data should be traceable.
-The data controller should be able to monitor and limit user actions on the software that processes biometric data.
-Hardware and software tests of the biometric data system should be performed periodically.
(ii) Administrative Measures
-An alternative system should be provided for the persons who cannot use the biometric solution (biometric data is impossible to record or read, handicap situation that makes it difficult to use, etc.) or who do not have explicit consent to use it, without any restrictions or additional costs.
-An action plan should be established in case of failure or failure to authenticate with biometric methods (failure to verify an identity, lack of authorization to enter a secure area, etc.).
-Access mechanism to biometric data systems of authorized persons should be established, managed and those responsible should be identified and documented.
-Personnel involved in the biometric data processing process should be trained on the processing of biometric data and such training should be documented.
-A formal reporting procedure should be established, so that the employees can report possible security vulnerabilities in systems and services and threats that may arise as a result thereof.
-The data controller should establish an emergency procedure to be implemented in the event of a data breach and announce it to everyone concerned.
This article was first published in Legal Insights Quarterly by ELIG Gürkaynak Attorneys-at-Law in December 2021. A link to the full Legal Insight Quarterly may be found here.
1 https://kvkk.gov.tr/SharedFolderServer/CMSFiles/bd06f5f4-e8cc-487e-abe1-d32dc18e2d7e.pdf (Last accessed on October 25, 2021)
https://www.kvkk.gov.tr/Icerik/4110/2018-10 (Last accessed on October 25, 2021)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.