Follow us

The Guideline on Processing Biometric Data Published by The Personal Data Protection Authority

The Turkish Personal Data Protection Authority (in Turkish, Kişisel Verileri Koruma Kurumu”,hereinafter referred to as theAuthority) has published a Guideline on Points to Take into Consideration When Processing Biometric Data (hereinafter referred to as “Guideline”) on 17 September 2021.

The Guideline defines biometric data in accordance with the definitions provided under court of appeal decisions and the EU’s General Data Protection Regulation. According to these definitions, biometric data is defined as physical or behavioral characteristics that are personal, unique and one of a kind. The Authority states that biometric data is data that (i) cannot be forgotten, (ii) remains the same for a lifetime and (iii) is owned without intervention. Biometric data facilitates distinguishing individuals and eliminates the possibility of confusion.

Overall, while the Guideline clarifies the concept of biometric data in detail, it also explains the principles that data controllers must pay attention when collecting biometric data, as well as the required technical and organizational measures to be adopted by data controllers.

  • Biometric Data

The main feature that leads to consider biometric data as “sensitive personal data” (in Turkish, “özel nitelikli kişisel veri”) as per the Article 6 of the Personal Data Protection Code Numbered 6698 (hereinafter referred to as  “the Code”) is that it is personal, unique and one of a kind.

The Guideline mentions that following the use of biometric data, it becomes very easy to distinguish people from each other and the possibility of confusion is almost eliminated.

Furthermore, the Guideline divides the biometric data into two categories as (i) physical and (ii) behavioral biometric data. While biometric data such as fingerprint, retina, palm, face, hand shape and iris constitute physiological biometric data; biometric data such as an individual’s walking style, typing and driving style constitute behavioral biometric data.

  • Legal Reason for Processing Biometric Data and Principles of Processing Such Data

In the case that there is no explicit consent of the data owner, biometric data could only be processed in cases which explicitly stipulated by law.

In the Guideline, it is stated that if biometric data processing is stipulated in the law, the provision of the law in question must be clear enough to leave no gap for doubt.

Besides, the following conditions are foreseen and explained in detail in the Guideline as the main principles to be taken into consideration when processing biometric data:

1. The data controller must only be able to process biometric data in accordance with the general principles set forth in Article 4 and Article 6 of the Code, but also in conformity with the following principles set forth in the Guideline:

  1. Data processing activity must not infringe the essence of fundamental rights and freedoms. Since the protection of personal data is one of the fundamental rights and freedoms regulated in the Constitution of the Republic of Turkey, it is clear that biometric data processing activities must also be subject to fundamental guarantees in terms of fundamental rights and freedoms stipulated in the Constitution, and at this point, the principle of proportionality is of paramount importance.
  2. The method applied by the data controller for processing data must be appropriate for achieving the purpose of processing, as well as the data processing activity must be appropriate for the purpose that be achieved.
  3. The biometric data processing method must be necessary for the purpose to be achieved. In other words, if there is any alternative method other than processing biometric data, the biometric data must not be processed, since it will not be necessary to process the biometric data. This principle has also been underlined by the Decision of the Personal Data Protection Board (in Turkish “Kişisel Verileri Koruma Kurulu”, hereinafter referred to as “the Board”) dated 25/03/2019 and numbered 2019/81 and its Decision dated 31/05/2019 and numbered 2019/165.
  4. There must be proportionality between the purpose and means to be achieved by data processing. In terms of biometric data processing, the severity of the intervention and the reasons justifying the intervention must be proportionate; that is, disproportionate interventions must not be made to the data owners as a result of the method used. In case there is more than one method, choosing the most appropriate one among them refers to the proportionality principle.
  5. Biometric data must be retained for as long as necessary, and after the necessity ceases, the data must be destroyed immediately and without delay.
  6. Limited in line with the purpose of processing; data controllers are required to fulfill their obligation to inform in accordance with the Article 10 of the Code. Considering the importance and sensitivity of biometric data, data controllers who will process biometric data must also clearly inform the data owners about which biometric data is collected for what legal reason and for what purpose, the importance of these data, the consequences that may arise in case of violation (risks of processing of biometric data).
  7. If explicit consent is required, the explicit consent of the data owners must be duly obtained in accordance with the Code. In order for an express consent to be valid, the data owner must be conscious of his/her behavior and must be able to make his/her own decision.

2. In the Guideline, it is further stipulated that all the elements listed above must be duly recorded and documented by data controllers.

3. If not required, genetic data such as blood, saliva, etc. must not be obtained.

4. In the selection of the type or types of biometric data (iris, fingerprint, vascular network of the hand, etc.), justifications and documentation must be provided as to why the preferred type or types of biometric data were chosen over others.

5. Collected biometric data must only be processed for the required time and the reasons for how long the said data will be retained must be explained by data controllers within the framework of the personal data retention and destruction policy.
Technical and Organizational Measures Required to Ensure Data Security

In addition to the issues explained above, the Guideline also emphasizes the technical and organizational measures to be adopted for processing biometric data to ensure the data security. These measures stipulated by the Guideline are as follows:

1. Technical Measures:

  1. Biometric data must only be stored in cloud systems by using cryptographic methods.
  2. Derived biometric data must be stored in a way that does not allow the recovery of the original biometric feature.
  3. Biometric data and its templates must be encrypted in accordance with current technology, with cryptographic methods that will provide adequate security. The encryption and key management policy must be clearly defined.
  4. Before installing the system and following any amendments, the data controller must test the system through synthetic data (that is not real) in test environments to be created.
  5. The data controller must limit the use of biometric data to the extent that what is necessary for testing purposes. All data must be deleted at the end of the tests at the latest.
  6. The data controller must implement measures that warn the system administrator and/or delete and report biometric data in case of unauthorized access to the system.
  7. The data controller must use certified equipment, licensed and up-to-date software in the system, prefer primarily open source software and realize the necessary updates in the system on time.
  8. The lifetime of devices that process biometric data must be traceable.
  9. The data controller must be able to monitor and limit user actions on the software that processes biometric data.
  10. Hardware and software tests of the biometric data system must be performed periodically.
2. Organizational Measures:
  1. An alternative system must be provided without any restrictions or additional costs for data owners who do not grant their explicit consent or in the event that the biometric solution is not being used,
  2. An action plan must be created in case of failure of authentication by biometric methods,
  3. An access mechanism for authorized persons to biometric data systems must be established, managed and those responsible of such mechanisms must be identified and documented,
  4. Employees involved in the biometric data processing must receive a special training on the processing of biometric data and such training must also be documented.
  5. A formal reporting procedure must be established so that the employees can report possible security vulnerabilities in systems and services and threats that may arise as a result of such vulnerabilities.
  6. The data controller must establish an emergency procedure to be implemented in the event of a data breach and must announce it to everyone concerned.

Within the scope of the above-mentioned explanations, kindly be informed that all data controllers who involve in biometric data processing activities to comply with the principles and measures specified in the Guideline.

Our Law Firm remains at your disposal for any further clarifications or assistance you may need about the subject matter.

by
2021, Hukuk Bülteni
0
Copyright© Cailliau & Colakel