Measures to be Taken by Data Controllers in Processing Sensitive Personal Data

The Personal Data Protection Board made the decision numbered 2018/10 on 31 January 2018 for “Determination of Adequate Measures to be Taken by Data Controllers in Processing of Sensitive Personal Data”, which became effective upon being published in the Official Gazette dated 7 March 2018.

Below you can find information on the details of said decision.

Pursuant to Article 6/1 of Code No. 6698 on the Protection of Personal Data (“CPPD“), data regarding people’s  race, ethnic origin, political opinion, philosophical beliefs, religion, sect or other beliefs, dress and appearance, membership to associations, foundations or labor unions, health, sexual life, criminal convictions and security measures they have been subject to, and their biometric and genetic data constitute sensitive personal data.

The same article also provides that, while processing Sensitive Personal Data, “adequate measures” as determined by the Board have to be taken in addition to the express consent of the relevant data subject being required.

Through its decision mentioned above, the Personal Data Protection Board has determined the “adequate measures” it has to identify pursuant to Article 6/4 of CPPD:

Within this context, first of all, the Data Controller must determine a separate policy and procedure on the safety of sensitive personal data, which should be systematic, manageable, sustainable and governed by clear rules.

In addition,

a) For the Employees Involved in the Processing of Sensitive Personal Data:

• Periodic training must be provided on the issues of the CPPD, the related regulations and the safety of sensitive personal data;
• Confidentiality agreements must be signed with said personnel;
• Purview and tenure of the users with data access authority must be clearly identified;
• Authority checks must be performed periodically;
• Relevant authorities of the employees who are assigned to another position or quit their job must be immediately revoked, and within this scope, the inventory allocated to them by the Data Controller must be taken back.

b) If Sensitive Personal Data are Processed, Stored and/or Accessed on Electronic Media:

• Sensitive Personal Data must be stored using cryptographic methods;
• Cryptographic keys must be stored on safe and separate media;
• Operation records related to all data movements must be logged safely;
• Safety updates for the media where data are stored must be continuously monitored, necessary safety tests must be regularly performed (or ensured to be performed by others) and test results must be recorded;
• If data are accessed through an application, user authorizations must be defined for such application. Likewise, safety tests must be regularly performed (or ensured to be performed by others) for said application and test results must be recorded;
• If remote access to data is necessary, an authentication system with at least two steps must be provided.

c) If Sensitive Personal Data are Processed, Stored and/or Accessed on Physical Media:

• It must be ensured that adequate safety measures are taken (against electric leakage, fire, flood, theft, etc.) considering the characteristics of the media where sensitive personal data are stored.
• Physical safety of such media must be ensured, and entrance and exit by unauthorized persons must be prevented.

d) If Sensitive Personal Data are to be Transferred to Third Parties:

• If data need to be transferred via e-mail, the transfer must be performed using a corporate e-mail address with a password or using a Registered Electronic Mail (REM) account,
• If data need to be transferred on media such as CDs, DVDs, etc., they must be encrypted using cryptographic methods and it must be ensured that the cryptographic key is stored in a separate medium,
• If data transfer is to take place between servers in different physical media, it must be performed by creating a VPN between servers or using the sFTP method,
• If data need to be transferred on paper, necessary measures must be taken to protect the documents against theft, loss or being seen by unauthorized persons, and the documents must be sent in the “classified information” format.

In addition to implementation of the safety measures detailed above, the technical and administrative measures to ensure the appropriate safety level specified in the Personal Data Safety Guide on www.kvkk.gov.tr must also be considered.

Our Law Firm remains at your disposal for any further clarifications you may need.