Guidance on Matters to be Considered in Processing Biometric Data
On September 16, 2021, the Personal Data Protection Authority published the “Guidance on Matters to be Considered in Processing Biometric Data” (the “Guidance”). This document mainly states the following issues:
The Law on the Protection of Personal Data (the “Law”) entered into force by being published in the Official Gazette dated 07.04.2016. Article 6 of this Law regulates the "Conditions for processing of personal data of special nature". According to this article, personal data of special nature are; personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data.
Biometric data, which is determined within the scope of personal data of special nature in the Law, is not regulated comprehensively in the legislation. However, according to article 4 of the EU General Data Protection Regulation, in order for personal data to be biometric, the distinctive features of the person must emerge as a result of data processing and these features must be data that serves to identify the person or confirm the identity of the person. According to this definition, biometrics is expressed in terms of human physical or behavioral characteristics, and these data are personal and unique. Physiological personal data; data such as a person's fingerprint, retina, iris; the person's walking and cycling constitute behavioral biometric data.
In the processing of biometric data, the conditions defined in the Law must be fulfilled. According to the article 6 of the Law, it is prohibited to process the personal data of special nature without explicit consent of the data subject. However, personal data, excluding the personal data of special nature relating to health and sexual life, may be processed without seeking explicit consent of the data subject, in the cases provided for by Laws. In this scope, biometric data may be processed without the explicit consent of the data subject only if the processing is provided for by Laws. Otherwise, explicit consent of the data subject is required for the processing of the biometric data.
In subparagraph (a) of the first paragraph of Article 3 of the Law titled “Definitions”, express consent is defined as “consent related to a certain subject, based on information and expressed with free will”. In order for the express consent given for data processing to be valid, the express consent must first be given on a specific subject and limited to that subject. However, since explicit consent is a declaration of will, one must also know what one is consenting to in order to consent freely. The person must have full knowledge not only of the subject matter, but also of the consequences of his/her consent. Therefore, if the provisions regarding the processing of biometric data are expressly included in other laws, the provisions in the relevant laws will be applied. In addition, the general principles in Article 4 of the Law must be complied with in the processing of these data. On the other hand, this Guide has been prepared to put the issue of processing biometric data on a legal basis. The principles of biometric data processing and biometric data security are listed in the Guide.
Biometric Data Processing Principles
The data controller will be able to process biometric data in accordance with the general principles in the Article 4 and the conditions set forth in the Article 6 of the Law. In addition to this, biometric data should be limited to the purpose of processing only if it does not touch the essence of fundamental rights and freedoms, the method used should be convenient and necessary and the data processing activity should be suitable for the purpose to be achieved. Besides, there should be a proportion between the purposes and means to be achieved with data processing, it should be kept for as long as necessary, data controllers should fulfill their obligation to inform in accordance with the Article 10 of the Law and if explicit consent is required, the explicit consent of the data subjects should be obtained in accordance with the Law.
It should be documented by data controller that all the above-mentioned principles are met.
Unless necessary, genetic data should not be obtained when biometric data is obtained.
The selection of the type of biometrics, it should be explained with the reasons why it was chosen instead of other types.
The maximum period for the processing of personal data should be determined. Besides, all kinds of the biometric feature must be processed for the required amount of time.
Biometric Data Security
Data controllers should pay attention to the issues related to personal data security in the legislation. In this respect, it is obligatory to take the measures specified in the Board's decision on "Adequate Precautions to be Taken by Data Controllers in the Processing of the Personal Data of Special Nature ". In this regard, data controller should take the necessary technical and administrative measures to ensure the security of data regarding the nature of the data and possible risks in terms of the person.
In addition to these, data controller has to take the following administrative and technical measures in the processing of biometric data:
1-) Technical Measures
Biometric data should be stored in cloud systems using cryptographic methods.
Derived biometric data should be stored in such a way that re-acquisition of the original feature is not allowed.
Biometric data should be encrypted with enough cryptographic methods to provide adequate security. This encryption management should be clearly definded.
Data controller should test their system through non-real data. The use of biometric data in studies for testing purposes should be limited to what is required and all data should be deleted at the latest at the end of the tests.
Data controller should take measures that warn the system administrator and/or delete and report biometric data in case of unauthorized access to the system.
Data controller should use certified methods, licensed and up-to-date software in the system, prefer open-source software first and make the necessary updates in a timely manner.
Lifetime of the devices used should be traceable. Moreover, hardware and software tests of the biometric data system should be performed periodically.
Data controller should be able to monitor and limit user actions on the software that processes biometric data.
2-) Administrative Measures
An alternative system should be provided, without any restrictions or additional costs, for those who cannot or do not have explicit consent to use the biometric solution.
An action plan should be established in case of biometric authentication or failure.
Authorities' access mechanism to biometric data systems should be established, managed and their responsibilities determined.
Personnel involved in biometric data processing should receive special training on the processing of biometric data and such training should be documented.
An official reporting procedure should be established so that employees can report possible security risks in the system and threats that may arise as a result of such risks.
Data controller should establish an emergency procedure to be implemented in the event of a data breach and announce it to everyone concerned.
As explained above, with this Guidance, it was aimed to clarify the processing of biometric data in detail. If biometric data is to be processed in accordance with the Law, data controllers should also comply with the Guidance rules.