Subject: Newsletter regarding the “Principle Decision regarding the Guideline on Issues to be Considered in the Processing of Biometric Data” published by the Personal Data Protection Board (the “Board”) on the website of the Board on the date 16.09.2021
- What is the Biometric Data?
The biometric data, in its enhanced scope, has been defined under the 4th Article of the General Data Protection Regulation as follows: “it is personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a real person, which allow or confirm the unique identification of that real person, such as facial images or dactyloscopic1 data”. Based on the aforementioned definition, in order for data to be defined as biometric data, it is required that such data shall be distinctive in the terms of the physical, physiological, or behavioral characteristics of such person and shall give rise to the identification or authentication of the identity of such person by making data owner identifiable. Biometric data is very important data in the identification or authentication of the identity of a person due to being specific to a person, unique and sole, and non-change of these for a lifetime. Biometric data can be processed by numerous methods, such as fingerprint recognition, palm recognition, face recognition, iris recognition, or DNA recognition. Particularly, in line with the developing technologies and in order to ensure a contactless and hygienic social life with the impact of the Covid-19 pandemic, the biometric data of persons is taking place almost on top among the data categories that are frequently processed in daily life. In this context, a need of preparing a guideline by the Board regarding the processing of such data which is the personal data of special nature of persons has occurred.
- Issues to be Considered in the Processing Biometric Data
Although biometric data is a personal data of special nature, as stated, it has not been counted within the scope of the “health and sexual life data”, which has been stated under the 6th Article of the Protection of Personal Data Law (the “PPDL”) and which has been prohibited to be processed without the explicit content of persons concerned, biometric data can be processed by complying with the general principles set forth under the 4th Article of the PPDL and in the circumstances that the legal reasons, stated under the 5th Article of the PPDL, exist. In addition to these, it is required to comply with the principles and rules, further detail below, as per the Guideline published by the Board.
- Principles regarding Processing
- Not violating fundamental rights and freedoms
Personal data covers almost the subject matter of fundamental rights, regulated explicitly under the 20th Article of our Constitution, within the scope of the right to claim the protection of private life due to both constituting the moral and material integrity of persons and being integral parts of their private lives. The related article explicitly regulated that “Everyone has the right to request the protection of his/her personal data.” and the protection of personal data has been explicitly constitutionally secured. In this context, while processing biometric data, the core of fundamental rights and freedoms shall be considered and it shall be acted in accordance with all required securities, primarily proportionality. Since, only through this manner, it will be possible to constitute an environment that is convenient for persons to exercise such rights that protect data, information, and documents concerning their private lives against the arbitrary interventions of official authorities.
- The processing method shall be convenient for achieving the processing purpose
The “convenient” element of the data processing device regarding the realization of data processing purpose has been defined under the decision of the Constitutional Court dated 28.09.2017 and numbered E.2016/125, K.2017/143 as “being convenient of the rule established for achieving the processing purpose”. In this context, the Board shall evaluate as to whether it can be approached to achieve the processing purpose with the help of the data processing device in terms of the convenience element.
- The data processing method is required to achieve the data processing purpose
The “convenient” element of a data processing device in the realization of the data processing purpose was defined in the decision of the Constitutional Court dated 28.09.2017 and numbered E.2016/125, K.2017/143 as “being convenient of the rule established for achieving the processing purpose”, and in line with the decision also taken as a basis by the Board, in the event that there is more than one device that enables the realization of the same purpose while processing biometric data, it is required to choose the device that is the least interfering among them. In other words, in case the same or better result can be achieved with a less restrictive intervention, the device used within this context will be contrary to the principle of necessity. In this regard, the decision of the Board that the collection of fingerprint data of persons at the entrance of the sports hall is contrary to the criteria of necessity shall have importance.
- Proportionality between the data processing data and the processing purpose
The “proportionality” element of the data processing device regarding the realization of data processing purpose has been stated under the decision of the Constitutional Court dated 28.09.2017 and numbered E.2016/125, K.2017/143 as “proportionality between the rule established and the purpose to be achieved”, and within the scope of the Guideline published by the Board, it has been indicated that there shall be proportionality between the intervention intensity and reasons justifying the intervention at the point of the processing of biometric data; in other words, as a result of the device used, no disproportionate interventions shall be made to the persons concerned.
- Biometric data shall be immediately destructed once the reasons to process the same are disappeared.
- The persons concerned shall be clarified by the data controller in a legal manner.
Data controllers processing biometric data are obliged to clarify the persons concerned by complying with the requirements regulated by the PPDL and other legislations. In addition to the obligations set forth under these legislations, in accordance with the importance of the biometric data as per the Guideline published by the Board, data controllers who will process biometric data shall further clarify the persons concerned regarding the issues such as to what legal reason and for what purpose they obtain biometric data, the importance of such data, as to what consequences can occur in case of violation and risks related to the processing biometric data.
- In the circumstances where explicit consent is required, the explicit consent shall be obtained from the persons concerned.
The explicit consent is a declaration of free will and shall be granted with a limitation of a specific subject matter. In order to obtain the explicit consent of persons legally, the persons are required to be informed not only on the subject matter that they grant their consent, but also the consequences that may occur in case they grant their explicit consent. In this context, the explicit consent shall not be conditional such as benefiting from the service under any circumstance, and in the cases that there is a status difference between the parties, it shall be diligently evaluated as to whether the explicit consent is indeed granted by basing on free will.
Acting in accordance with the aforementioned principles shall be documented by the data controller. It has been precisely stated In the Guideline published by the Board that genetic data shall not be obtained unless necessary. In addition to this, it shall be submitted upon request by the Board, with the explicit justification that the type of genetic data processed is chosen over other types and categories of data. Furthermore, in the circumstances that the retention period of data is not stipulated under the legislation provisions, the retention period of data which will be determined by the data controller shall be explicitly stated under the data retention policies.
- Ensuring the Security of Biometric Data
The most important issue to be taken as a basis firstly in terms of the processing of biometric data and ensuring the security of the same is the decision of the Board regarding the “Adequate Precautions Required to be Taken by Data Controllers in the Processing of Personal Data of Special Nature” dated 31/01/2018 and the decision numbered 2018/10 K.
In addition to this, it has been stated in the Guideline published by the Board that it is obligatory to use cryptographic methods in case biometric data is processed in the cloud systems. Encryption and key methods and policies shall be explicitly defined by the data controller. Additionally, derivative biometric data, in other words, the modified versions of the first original data obtained in a more general and more comprehensive manner shall be stored in a manner that shall not allow obtaining the original data again. The system which biometric data will be added by the data controller shall be subject to security tests by using synthetic data prior to the processing activities. Biometric data, processed for test purposes, shall be used to the extent that it is related to the test result and shall be destructed at the latest test result. In addition to this, in the circumstance that systems, where the biometric data will be added, are accessed without authorization, applications and software, sending warning signals and deleting and reporting biometric data, shall be used in the system. Systems in which data is kept, systems with license and with a certification, and with open code, if possible, in order words systems that are easy to be closed down in case there is a vulnerability in the system, shall be preferred. The lifetime of devices processing biometric data shall be able to be monitored and shall be monitored. Furthermore, user transactions in the biometric data processing systems and software shall be able to be monitored and limited. Biometric data systems periodically shall be tested and their security shall be controlled.
- Administrative Precautions
Alternative systems shall be formed for persons whose biometric data cannot be processed or who do not give their explicit consent to the processing of their data. Therefore, in the circumstances in which authentication of identification is made through biometric data, an action plan shall be prepared for the cases in which the biometric data cannot be obtained from the person concerned or the identification fails. A mechanism shall be formed to access systems including biometric data and the access authorization shall be limited. Persons and responsible persons who will access such data shall be documented. Related training shall be given to all personnel who take place in the biometric data processing and such training shall be documented. In addition to this, a procedure mechanism in which the employees can inform the data violations or report the system vulnerability or failures shall be formed by the data controller.