The Republic of Turkey Identity (ID) Card Electronic Authentication System Regulation (“Regulation”) published in the Official Gazette of the Republic of Turkey dated 22.10.2020 and numbered 31282, regulated the procedures and principles of the ID Authentication System (“System”). Pursuant to the Regulation, the service provider certification applications in the field of electronic ID card shall be made to the General Directorate of Population and Citizenship Affairs, the applications shall be finalized by the System’s Evaluation Commission and submitted to the Ministry of Interior Affairs for approval, and in pursuit of the approval, the ID Authentication Service Providers (“ASP”) shall commence providing their services.
In the Regulation, the provisions regarding the processing, protection and security of personal data also draw attention. Some of these provisions are briefly as follows;
- ASP may not transfer/process signature creation and authentication data and their certificates related to the System outside the borders of the Republic of Turkey,
- The validity period of the signature creation and authentication data of the ASP cannot exceed 10 (ten) years.
- The data encrypted on the ID card cannot be used except for authentication purposes.
- Biometric data and PIN or PUK information regarding ID card cannot be collected, stored or shared.
- Access to personal data and special categories of personal data in the System and the security of these data are provided in accordance with the Personal Data Protection Law No. 6698 and the relevant legislation and in accordance with the adequate measures determined by the Personal Data Protection Board.
- Other procedures and principles regarding security relating to the System shall be determined by the General Directorate.