ARTICLE
27 May 2025

Examination Of Biometric Data Within The Scope Of Personal Data Protection Law

SO
Sakar Law Office

Contributor

Sakar Law Office logo
Sakar is a client and solution oriented, investigative and innovative law firm based in Istanbul. Our Firm is committed to provide our clients with high-quality legal services and business-minded approach. We are a full service law firm to clients across a wide range of areas including Mergers and Acquisitions, Corporate and Commercial, Contracts, Banking and Finance, Competition, Litigation, Employment, Real Estate, Energy, Capital Markets, Foundations, E-commerce, Media and Technology, Data Privacy and Data Protection and Intellectual Property. In order to offer the best possible service for our clients, we harness the latest market developments in legal technology and innovation and we closely follow the legislative changes in Turkish Law. Our lawyers are multi-specialists, equipped to handle a broad range of legal matters. In addition to our depth of experience and awareness of market practice, clients know they will benefit from our team’s innovative mindset and willingness.
Explore Firm Details
Biometric data, which is used to identify and verify individuals, has become widely processed in both the public and private sectors with the advancement of technology.
Turkey Privacy
Gözde Esen Sakar and Sena Avcı
Your Author LinkedIn Connections

Biometric data, which is used to identify and verify individuals, has become widely processed in both the public and private sectors with the advancement of technology.

As is known, the Personal Data Protection Law No. 6698 ("Law") entered into force in April 2016 with the aim of protecting the fundamental rights and freedoms of individuals, particularly the privacy of private life, in the processing of personal data, and regulating the procedures and principles to be followed by real and legal persons processing personal data. Following this period, the Personal Data Protection Board ("Board") has issued various regulations, circulars, and guidelines on the protection of personal data and published numerous decisions on its website to clarify the implementation.

In this article, we will focus on the principles and security measures to be observed in the processing of biometric data within the scope of the Guide on Matters to Be Considered in the Processing of Biometric Data dated March 2025 ("Guide") published by the Board.

What are the basic principles to be observed when processing personal data?

Before addressing biometric data, we would like to first touch upon the general principles, which are the fundamental rules of the Law. Pursuant to Article 4 of the Law, matters that should be considered during the processing of personal data are regulated. In this context, it is also very important that biometric data is processed in accordance with the law and the rules of good faith, that the data is accurate and up-to-date, that it is processed for specific and legitimate purposes, that it is limited to those purposes and proportionate, and that it is only stored for as long as necessary.

What exactly does biometric data mean?

It should be noted that although Article 6 of the Law stipulates that biometric data shall be considered special category personal data, the definition of biometric data has not been explicitly provided in Turkish law. However, the Board's decisions and the Guide state that biometric data refers to data that is directly carried by an individual and is generally unchanging and easily obtainable. In this context;

  • Physiological Biometric Data: Examples include physical characteristics of the body such as fingerprints, face, iris, and palm.
  • Behavioral Biometric Data: Examples include characteristics based on movements and habits that may change over time, such as walking style or keyboard usage.

Under What Conditions Are Biometric Data Processed?

When processing biometric data, it is important to ensure that the conditions for biometric data processing are met and that the general principles set out in Article 4 of the Law are complied with. For the processing of these data:

  • Explicit consent should be obtained or
  • The exceptional circumstances specified in Article 6 of the Law (e.g., legal regulations, public health, life-threatening situations, fulfilment of legal obligations, exercise of right, disclosure by the individual) must be present.

What Should Be Considered When Processing Biometric Data?

As stated in the Board decisions and the Guide, the data controller may process biometric data in accordance with the general principles set out in Article 4 of the Law and the conditions set out in Article 6, but only in accordance with the following principles:

  • Not infringing on fundamental rights and freedoms: The processing of biometric data must be in accordance with the principle of protecting fundamental rights and freedoms and must be used only, when necessary, in compliance with the principle of proportionality.
  • The method used must be suitable for achieving the purpose of processing: The biometric data processing method must be capable of serving the intended purpose and be suitable for achieving that purpose.
  • The data processing activity must be appropriate and necessary for the intended purpose: If the same result can be achieved by a less intrusive method, biometric data processing is considered unnecessary and should not be preferred.
  • Proportionality between the purpose and the means: The method used must not result in disproportionate interference compared to the intended purpose, i.e., there must be a reasonable balance between the means and the purpose.
  • Retention for as long as necessary, and immediate destruction of the data once the necessity ceases: Biometric data should only be stored for as long as necessary and destroyed without delay once the need ceases.
  • Limited to the purpose of processing, data controllers must fulfil their obligation to provide information in accordance with Article 10 of the Law: Data controllers are obliged to inform the data subjects in detail, clearly stating which biometric data are processed, for what purpose and on what legal basis.
  • Where explicit consent is required, the relevant individuals' explicit consent must be obtained in accordance with the Law: If explicit consent is required for the processing of biometric data, this consent must be informed, freely given, and specific to the matter in question.

In addition to the above principles, as stated in the Board's decisions and the Guide, the data controller is recommended to document that it has acted in accordance with all legal principles before commencing the processing of biometric data and to record this process. Furthermore, genetic data (e.g., blood, saliva samples) should not be collected unless necessary and truly relevant to the purpose. The periods for which biometric data will be stored must be determined in a reasonable manner in accordance with the Law.

What measures should be taken for the security of biometric data?

As mentioned above, data controllers who will process biometric data must first and foremost comply with the Law, secondary legislation, Board decisions and guidelines. In this context, due to the special nature of biometric data, it is mandatory to take the minimum security measures set out in the Board's decision dated January 31, 2018 and numbered 2018/10. In addition, the Guide contains technical and administrative measures of a recommendatory nature, and it is important that data controllers comply with these measures.

  • Technical measures, in summary, include the secure storage of biometric data using cryptographic methods, testing systems with synthetic data, protecting against unauthorized access, and ensuring that the hardware and software used are up-to-date and traceable.
  • Administrative measures, on the other hand, include offering alternatives to biometric data, documenting access and authorization processes, raising awareness among personnel through special training, and establishing plans and reporting mechanisms for possible security breaches.

Conclusion

Biometric data, by its nature, directly identifies individuals and is irreversible. Therefore, the processing of biometric data could only be considered lawful when it is strictly necessary and appropriate security measures are in place.

***

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Gözde Esen Sakar
Gözde Esen Sakar
Photo of Sena Avcı
Sena Avcı
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More