Turkish Personal Data Protection Authority's Guideline On The Considerations For The Processing Of Biometric Data
The Turkish Personal Data Protection Authority ("Authority") has published The Guideline on the Considerations for the Processing of Biometric Data ("Biometric Data Guide") on its official website on September 16, presenting the Authority's guidance on data controllers' biometric data processing activities.
Pursuant to the Article 6 of the Law on the Protection of Personal Data Numbered 6698 ("Law"), biometric data is defined as one of the "special categories of personal data"1 and may be processed subject to stricter rules than other types of personal data. According to Article 6 of the Law, processing of biometric data is prohibited unless the data subject has given his/her explicit consent, or it is provided by the laws.
Even though the term "biometric data" is not defined under our legislation, the meaning of the term has been being interpreted by the Turkish Personal Data Protection Board ("Board") by taking into account the European Union legislation, specifically Recital 51 and Article 9 of the General Data Protection Regulation ("GDPR"). Accordingly, the Board had stated that "only in circumstances where these data [photographs] are processed in a manner that allows to uniquely identify or verify a person" the processing constitutes a processing of biometric data.
Now, the definition of "biometric data" is introduced under the Biometric Data Guide, and accordingly, in order for a data to be considered as biometric data, the distinctive features of the data such as the physiological, physical or behavioral characteristics of the person must be revealed as a result of data processing, and the revealed features should be personal data that serve to identify the person or confirm the identity of the person.
Similar with the Article 9 of the GDPR (defining processing of biometric data as "the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person"), the Authority states that biometric data processing occurs when "the distinctive features of the data are revealed". Within this context, if a (potentially) biometric data is not processed to uniquely identify a person, Article 6 of the Law (regulating processing of special categories of personal data) and the Biometric Data Guide should not be applicable.
The Biometric Data Guide also exemplified biometric data under two categories as follows;
The same categories set out by the Biometric Data Guide may be observed under the Article 29 Working Party's Working Document on Biometrics as "... there are physical and physiological-based techniques which measure the physiological characteristics of a person and include : fingerprint verification, finger image analysis, iris recognition, retina analysis, face recognition, outline of hand patterns, ear shape recognition, body odor detection, voice recognition, DNA pattern analysis and sweat pore analysis, etc. ... behavioral-based techniques, which measure the behavior of a person and include hand-written signature verification, keystroke analysis, gait analysis, etc.". Since the Board often takes into account the GDPR's application during its investigations and decisions, there is a high chance that the Board continues to interpret these categories in a manner similar to the Article 29 Working Party's working document.
According to the Biometric Data Guide, in order for biometric data to be processed by the data controllers, the data processing activity should comply with certain principles, as summarized below.
Please note that these principles are essentially envisaged under the Article 4 of the Law (similar to the GPDR's general principles). However, with the Biometric Data Guide, the Authority is now emphasizing their importance during processing such sensitive data.
When these principles set out under the Biometric Data Guide are reviewed along with the EU acquis, it is seen that similar principles such as "proportionality", "purpose limitation" and "storage limitation" are already stated by the Article 29 Working Party, in its Opinion 3/2012 on developments in biometric technologies ("WP29 Opinion"). Thus, we believe that similar principles of the GDPR and their application for the biometric data processing activities should be taken into consideration while evaluating the lawfulness of the biometric data processing activities in Turkey as well.
Finally, the Authority emphasized the necessity of providing an alternative system to provide the relevant services without any restrictions or additional costs for the persons who cannot use the biometric means (biometric data is impossible to record or read, handicap status that makes it difficult to use, etc.) or who do not want to provide their explicit consent within this regard.
Please be noted that, the Board's principal (binding) decision "Adequate Measures that Need to be Taken by Data Controllers while Processing the Special Categories of Personal Data" Numbered 2018/10 and Dated 31/01/2018 should be respected (due to the processing of biometric data, which is one of the special categories envisaged by the Law) and the relevant security measures must be taken, independently from the Biometric Data Guide.
Even though there is no specific penalty for unlawful biometric data processing activities, pursuant to the Article 18 of the Law (Misdemeanors) and the Board's case law within this scope, non-compliance with the Law during processing biometric data may result with the following administrative penalties. In summary, the Board is authorized to impose monetary fines which are re-evaluated each year3 and / or to decide the determined infringements to be remedied by the relevant data controller.
In the past, the Board adopted a very strict approach in its decisions regarding the processing of biometric data, and it is known that the Board especially considers the Article 4 of the Law in terms of compliance, even in cases where alternatives are being presented and finds that it is contrary to the Law, underlining that "the use of a system containing biometric data at the entrance and exit of the facility, even if another option is offered, is not in accordance with the proportionality principle in paragraph (ç) of paragraph (2) of the Article 4 titled General Principles". Therefore, once the Biometric Data Guide published by the Authority is interpreted together with the Board's decisions, it may be seen that biometric data processing activities will be subject to a more rigid regime than the past. We believe that this rigidness will coincide with Article 29 Working Party's opinions regarding processing of biometric data as well.
In this context, we are of the opinion that the Board may carry out an examination based on this guide4 and in line with the GPDR's application regarding the issues such as taking special security measures, presenting appropriate privacy notices, conducting necessary processes within the scope of the principle of accountability, and may impose strict sanctions together with reference to the guide in case of violations. It should be noted that the Biometric Data Guide underlines data controllers' ability to document the execution of the said evaluations (why other types of data were not preferred and why such biometric data is decided to be processed etc.). Therefore, implementing internal evaluation and documentation procedures (similar to data protection impact assessment) may be beneficial in order to prove that the recommended steps were indeed taken (before processing biometric data).
In line with all above presented principles and rules, it is recommended for data controllers to review their current biometric data processing activities and carry out the necessary studies to comply with the Biometric Data Guide.
1 Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data.
2 Under this decision of the Board, the latter had made a reference to the Working Party 29's Opinion 3/2012 on developments in biometric technologies and its evaluation on the proportionality.
3 Please note that the administrative monetary fine limits are applicable for the year 2021 and the said amounts shall vary based on the annual re-evaluation.
4 Guidelines published by the Authority are not legally binding, but these guidelines may be taken into consideration by the Board during its investigations in the future. Within this regard, the Board may evaluate non-compliance with the recommendations stated under the guidelines to the detriment of the data controller (Board has been already directly referring to the Authority's guidelines within its decisions.)