Turkey: Turkish Personal Data Protection Authority's Guideline On The Considerations For The Processing Of Biometric Data

The Turkish Personal Data Protection Authority ("Authority") has published The Guideline on the Considerations for the Processing of Biometric Data ("Biometric Data Guide") on its official website on September 16, presenting the Authority's guidance on data controllers' biometric data processing activities.

Below, you may find our evaluations regarding the recommendations within the Biometric Data Guide, the measures specified to fulfill them, sanctions that may arise in case of non-compliance, along with the comparisons with the EU acquis.

i. What is Biometric Data?

Pursuant to the Article 6 of the Law on the Protection of Personal Data Numbered 6698 ("Law"), biometric data is defined as one of the "special categories of personal data"¹ and may be processed subject to stricter rules than other types of personal data. According to Article 6 of the Law, processing of biometric data is prohibited unless the data subject has given his/her explicit consent, or it is provided by the laws.

Even though the term "biometric data" is not defined under our legislation, the meaning of the term has been being interpreted by the Turkish Personal Data Protection Board ("Board") by taking into account the European Union legislation, specifically Recital 51 and Article 9 of the General Data Protection Regulation ("GDPR"). Accordingly, the Board had stated that "only in circumstances where these data [photographs] are processed in a manner that allows to uniquely identify or verify a person" the processing constitutes a processing of biometric data.

Now, the definition of "biometric data" is introduced under the Biometric Data Guide, and accordingly, in order for a data to be considered as biometric data, the distinctive features of the data such as the physiological, physical or behavioral characteristics of the person must be revealed as a result of data processing, and the revealed features should be personal data that serve to identify the person or confirm the identity of the person.

Similar with the Article 9 of the GDPR (defining processing of biometric data as "the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person"), the Authority states that biometric data processing occurs when "the distinctive features of the data are revealed". Within this context, if a (potentially) biometric data is not processed to uniquely identify a person, Article 6 of the Law (regulating processing of special categories of personal data) and the Biometric Data Guide should not be applicable.  

The Biometric Data Guide also exemplified biometric data under two categories as follows;

• "Physiological biometric data": Fingerprint, retina, palm, face, hand shape, iris of the person.
• "Behavioral biometric data": The way the person walks, presses the keyboard buttons, drives a car.

The same categories set out by the Biometric Data Guide may be observed under the Article 29 Working Party's Working Document on Biometrics as "... there are physical and physiological-based techniques which measure the physiological characteristics of a person and include : fingerprint verification, finger image analysis, iris recognition, retina analysis, face recognition, outline of hand patterns, ear shape recognition, body odor detection, voice recognition, DNA pattern analysis and sweat pore analysis, etc. ... behavioral-based techniques, which measure the behavior of a person and include hand-written signature verification, keystroke analysis, gait analysis, etc.".  Since the Board often takes into account the GDPR's application during its investigations and decisions, there is a high chance that the Board continues to interpret these categories in a manner similar to the Article 29 Working Party's working document. 

ii. Which Suggestions Are Made for Data Controllers under the Biometric Data Guide?

According to the Biometric Data Guide, in order for biometric data to be processed by the data controllers, the data processing activity should comply with certain principles, as summarized below.

Please note that these principles are essentially envisaged under the Article 4 of the Law (similar to the GPDR's general principles). However, with the Biometric Data Guide, the Authority is now emphasizing their importance during processing such sensitive data.

• Fundamental Rights and Freedoms: Biometric data processing should not interfere with the essence of the fundamental rights and freedoms of the persons concerned. Therefore, it is necessary to pay attention to the consequences of biometric data processing activity on the data subjects.
• Appropriateness: The method used must be appropriate for achieving the purpose of processing, and the data processing activity must be suitable for the purpose to be achieved.
• Necessity: It is sought that the biometric data processing method is necessary in terms of the aim to be achieved. (We would like to add that the "necessity principle" is to choose the least intrusive tool where there is more than one tool that allows the same goal to be achieved.)
• Proportionality: There should be a proportionality between the purpose and the tool to be achieved with such data processing activity.
  
  It should be noted that highlighting this principle is also in line with the Board's case law. Under a decision regarding the usage of palm scans while entering to a sport complex, the Board had evaluated whether the data controller could have chosen a less intrusive measure that could have been used to achieve the purpose, and determined that processing of the biometric data was not in line with the principle of "being relevant, limited and proportionate to the purposes for which they are processed" and therefore, unlawful². In another decision of the Board, it has stated that even if there is an alternative method for entering to the sport complex, processing biometric data would still be unproportionate.   
• Limitation: It is underlined that the data should be kept for the required period of time and that it should be destroyed without delay/immediately after the necessity disappears.
• Obligation to Inform: While staying within the limits of the purpose of the processing; it is stated that data controllers must fulfill their obligation to inform in accordance with Article 10 of the Law.
  
  However, in addition to the mandatory elements stipulated by the current provisions under the laws on the obligation to inform, the Authority stated that the data subjects should also be informed about the following issues;
  • Which biometric data is being processed,
  • Information on the basis of biometric data type, its legal ground and the relevant purpose,
  • The importance of biometric data,
  • Possible consequences in case of a data breach and therefore, the risks of processing biometric data.
• Accountability: In addition to the data controllers' obligation to ensure that these requirements have been fulfilled, the Authority requires data controllers to be able to present documents and justifications explaining why other types of data were not preferred and why such biometric data is decided to be processed. In line with this approach of the Authority, the Board may request a study/documentation revealing that an evaluation has been made within this context, specific to the relevant biometric data processing activity.

When these principles set out under the Biometric Data Guide are reviewed along with the EU acquis, it is seen that similar principles such as "proportionality", "purpose limitation" and "storage limitation" are already stated by the Article 29 Working Party, in its Opinion 3/2012 on developments in biometric technologies ("WP29 Opinion"). Thus, we believe that similar principles of the GDPR and their application for the biometric data processing activities should be taken into consideration while evaluating the lawfulness of the biometric data processing activities in Turkey as well. 

iii. Which Security Measures Are Recommended under the Biometric Data Guide?

Similar to the GDPR's application and the WP29 Opinion, several administrative and technical security measures have been proposed undern the Biometric Data Guide in order to prevent the unlawful processing of biometric data, including;

• Preserving biometric data in cloud systems using cryptographic methods,
• Storing the derived biometric data in a way that does not allow the recovery of the original biometric feature,
• Testing the system by means of synthetic data (non-real) in test environments to be created before the data controller installs the system and after any changes,
• Implementation of measures by the data controller, that warn the system administrator and/or delete biometric data and report in case of unauthorized access to the system,
• The data controller should use certified equipment, licensed and up-to-date software in the system, prefer open-source software primarily and make the necessary updates in the system on time,
• The data controller to be able to monitor and limit user actions on the software that processes biometric data,
• Establishing an action plan in case of a failure of authentication by biometric methods (failure to verify an identity, lack of authorization to enter a secure area, etc.).
• Providing special training on the processing of biometric data to the personnel involved in the biometric data processing and documenting the said trainings,
• Establishing a formal reporting procedure so that employees can report possible security vulnerabilities in systems and services and threats that may arise as a result of such vulnerabilities,
• Establishing an emergency procedure to be implemented in the event of a data breach and announce it to everyone concerned.

Finally, the Authority emphasized the necessity of providing an alternative system to provide the relevant services without any restrictions or additional costs for the persons who cannot use the biometric means (biometric data is impossible to record or read, handicap status that makes it difficult to use, etc.) or who do not want to provide their explicit consent within this regard.

Please be noted that, the Board's principal (binding) decision "Adequate Measures that Need to be Taken by Data Controllers while Processing the Special Categories of Personal Data" Numbered 2018/10 and Dated 31/01/2018 should be respected (due to the processing of biometric data, which is one of the special categories envisaged by the Law) and the relevant security measures must be taken, independently from the Biometric Data Guide.

iv. Risks of Non-Compliance

Even though there is no specific penalty for unlawful biometric data processing activities, pursuant to the Article 18 of the Law (Misdemeanors) and the Board's case law within this scope, non-compliance with the Law during processing biometric data may result with the following administrative penalties.  In summary, the Board is authorized to impose monetary fines which are re-evaluated each year³ and / or to decide the determined infringements to be remedied by the relevant data controller.

• Unlawful privacy notices (not complying with the Law's, the secondary legislation's and / or with the recommendations set out under the Biometric Data Guide) may result in administrative monetary fines from 9,834 Turkish Liras to 196,686 Turkish Liras.
• Non-compliance with the general principles set out under the Article 4 of the Law and the Biometric Data Guide and/or insufficient data security measures may result in administrative monetary fines from 29,503 Turkish Liras to 1,966,862 Turkish Liras.
• Any unlawful biometric data processing activity may result in the Board's instructions (which are not numerus clausus and may vary on case-by-case basis). For example, instruction for the deletion of the unlawfully processed biometric data and/or instruction for the revision of the biometric data processing regime may be in question.

v.Our Evaluation on the Biometric Data Guide

In the past, the Board adopted a very strict approach in its decisions regarding the processing of biometric data, and it is known that the Board especially considers the Article 4 of the Law in terms of compliance, even in cases where alternatives are being presented and finds that it is contrary to the Law, underlining that "the use of a system containing biometric data at the entrance and exit of the facility, even if another option is offered, is not in accordance with the proportionality principle in paragraph (ç) of paragraph (2) of the Article 4 titled General Principles". Therefore, once the Biometric Data Guide published by the Authority is interpreted together with the Board's decisions, it may be seen that biometric data processing activities will be subject to a more rigid regime than the past. We believe that this rigidness will coincide with Article 29 Working Party's opinions regarding processing of biometric data as well.

In this context, we are of the opinion that the Board may carry out an examination based on this guide⁴ and in line with the GPDR's application regarding the issues such as taking special security measures, presenting appropriate privacy notices, conducting necessary processes within the scope of the principle of accountability, and may impose strict sanctions together with reference to the guide in case of violations. It should be noted that the Biometric Data Guide underlines data controllers' ability to document the execution of the said evaluations (why other types of data were not preferred and why such biometric data is decided to be processed etc.). Therefore, implementing internal evaluation and documentation procedures (similar to data protection impact assessment) may be beneficial in order to prove that the recommended steps were indeed taken (before processing biometric data).

In line with all above presented principles and rules, it is recommended for data controllers to review their current biometric data processing activities and carry out the necessary studies to comply with the Biometric Data Guide.

Footnotes

1 Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data.

2 Under this decision of the Board, the latter had made a reference to the Working Party 29's Opinion 3/2012 on developments in biometric technologies and its evaluation on the proportionality.

3 Please note that the administrative monetary fine limits are applicable for the year 2021 and the said amounts shall vary based on the annual re-evaluation.

4 Guidelines published by the Authority are not legally binding, but these guidelines may be taken into consideration by the Board during its investigations in the future. Within this regard, the Board may evaluate non-compliance with the recommendations stated under the guidelines to the detriment of the data controller (Board has been already directly referring to the Authority's guidelines within its decisions.)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.