Pursuant to the decision (“Decision”) of the Personal Data Protection Board (“Board”) dated 01.12.2020 and numbered 2020/915, upon the complaint of an employee working as an official of the data controller, stating that their personal data is processed through fingerprint scanning devices for work entry and exit tracking, it was decided upon the instruction of the data controller to terminate biometric data processing for employee tracking and to remove the existing system. The content of the decision in question is as follows:
1- Subject of the Application:
In the complaint made by the data subject, it was stated that:
- Personal data is processed with fingerprint scanning devices in order to track employees’ entry and exit,
- Data subject applied to the data controller with the request of deletion of her/his fingerprint information by the data controller and to be informed regarding the process,
- In the reply provided to the applicant, it was declared that the data in question shall not be deleted from the data controller’s systems,
- Fingerprint data cannot be processed without the data subject’s consent and the request of the applicant for deletion of the data has not been accepted despite official application.
2- Defense of the Data Controller:
It was stated that:
- The employee was informed regarding data processing activities and the policies and procedures regarding the protection and processing of personal data were drafted, and the data controller was audited by the Independent Audit Firm and was certified with the BS10012-2009 Data Protection and Personal Information Management Standard Certificate.
- Data subject’s application was not submitted via a Personal Data Protection Application Form, additionally the application was not submitted to the employee who acts as a data controller representative, and instead was submitted to the Directorate of Human Resources and Education with the title Request for Information and Documentation, hence the application was not regarded as within the scope of the PDP Law, and there was no statement indicating that the fingerprint cannot be deleted,
- In accordance with the Employee Tracking System (“PDKS”) implemented by the Presidency, fingerprint data obtained from employees are used only for time keeping, the fingerprint system has been disabled due to the epidemic, the fingerprint data that has been turned into a template which cannot be viewed and processed in any way and the encrypted fingerprint template used is a special algorithm which may not be accessed by third parties.
It has been evaluated by the Board that:
- The processing of fingerprint data of the employee by the data controller for time keeping is considered as the processing of special category of personal data, since fingerprint data is considered biometric data,
- Fingerprints obtained from the employee in accordance with the employee tracking system, are used by the data controller for time keeping, however, considering that the data subject has complained about the processing of fingerprint data without his consent, it is concluded that the data subject does not give explicit consent to time keeping via the use of fingerprint data,
- It is concluded that the data processing is contrary to the principle of proportionality,
- The data subject made a request for the deletion of his personal data, but the data controller did not consider the application of the data subject within the scope of the Law and did not respond to the request of the data subject regarding deletions, and thus this case is contrary to good faith.
4- The Decision:
It has been decided upon the instruction of the data controller to immediately destruct data related to fingerprints processed and stored by the data controller, to promptly notify third parties to whom the fingerprint data was transferred, to provide alternative means of time keeping and employee tracking, and to terminate the current practice.
You may reach the full Turkish version of the Decision of the Authority link below: