Legal AlertGuiding Principal Decision on Matters to be Considered in Processing of Biometric Data

17 September 2021

The Personal Data Protection Authority Published the “Guiding Principal Decision on Matters to be Considered in Processing of Biometric Data”.

The Personal Data Protection Authority (“Authority”) published the “Guiding Principal Decision on the Matters to be Considered in Processing of Biometric Data” (“Principal Decision”) on its website on 16.09.2021.

The Principal Decision primarily states the relevant article of the Personal Data Protection Law No. numbered 6698 (“PDP Law”) on the special categories of personal data and the definition of biometric data under Article 4 of the European Union General Data Protection Regulation (“GDPR”). Afterwards, the Principal Decision provides a definition of the biometric data as the “data that is impossible for people to forget, does not change for life, and is effortlessly owned without the need for any intervention” based on the definitions stated under the judicial decisions before the adoption of the PDP Law.

According to the Principal Decision, while biometric data such as the fingerprint, retina, palm, face, hand shape, and iris of a person constitute the physiological biometric data; biometric data such as the person’s walking and driving style, and the way of pressing the keyboard constitute the behavioural biometric data.

As stated by the Principal Decision, in the processing of biometric data, existence of the biometric data processing conditions and complying with the general principles under Article 4 of the PDP Law should be a must. The Principal Decision also emphasizes the importance of making evaluations within the frame of the concrete case apart from fulfilling the conditions stipulated under the PDP Law on determining whether the biometric data is processed. At this point, in the light of the Personal Data Protection Boards’ (the “Board”) Decision numbered 2019/81 and the Summary Decision numbered 2019/165, it is stated under the Principal Decision that the Board has certain judgement on the matters of explicit consent and proportionality, but different judgements can be made in different cases where the concrete case requires to do so, to the extent that it is in compliance with the PDP Law. 

Pursuant to the Principal Decision, in accordance with the general principles set forth under Article 4 of the PDP Law, and the conditions set forth under Article 6 of the PDP Law, data controller shall only be able to process biometric data in compliance with the following principles:

  1. The core principles of the fundamental rights and freedoms shall be preserved while processing biometric data;
  2. The method used for processing biometric data shall be suitable for achieving the purpose of processing and the data processing activity shall be suitable for the purpose to be achieved;
  3. The biometric data processing method shall be necessary for the purpose to be achieved;
  4. A proportion shall be established between the purpose to be achieved by the data controller and the tool;
  5. The biometric data shall be stored for a required period and shall be destroyed without any delay/immediately after such requisite disappears.
  6. Data Controllers shall fulfil their obligation to inform the data subjects in accordance with Article 10 of the PDP Law, but limited to the purpose of processing and
  7. Explicit consent shall be obtained from the data subjects, if required in accordance with the PDP Law.

Apart from these principles, data controller;

  1. Shall record and document that all the principles listed in the Principal Decision are met;
  2. Shall not collect genetic data while collecting biometric data, if not necessary;
  3. Shall provide justification and documentation as to preference of certain type or types of biometric data;
  4. Shall state the retention periods and their reasonings in the Personal Data Retention and Destruction Policy in accordance with Article 4/1-d of the PDP Law.

It is stated under “Biometric Data Security” title of the Principal Decision that the data controllers processing biometric data shall pay attention to the regulations related to the personal data security, stated under the regulations, communiques, and the Board Decisions. Within this frame, it is mentioned that the measures specified in the Board’s Decision numbered 2018/10 on “Adequate Precautions to be Taken by Data Controllers in the Processing of Special Categories of Personal Data” shall be taken.

Finally, the Principal Decision, apart from the measures stated under the Board Decision numbered 2018/10, specifies the technical and administrative measures required to be taken by the data controller as follows.

Technical Measures:

  1. Cryptographic methods shall be used for storing of the biometric data in cloud systems, and encryption and key management policies shall be introduced; 
  2. Derived biometric data shall be kept in a way that does not allow recovery of the original biometric feature;
  3. The use of biometric data in testing environments shall be limited to necessity, if possible synthetic data shall be used for testing, biometric data shall be deleted latest by the end of the tests;
  4. Measures that warn the system administrator and/or delete biometric data and provide reports in case of an unauthorized access to the system shall be implemented;
  5. Certified equipment, licensed and up-to-date software shall be used, and open-source software shall be preferred within the system;
  6. Lifetime of the devices that process biometric data shall be monitorable;
  7. Logging and access authorizations regarding processing of biometric data shall be defined; and
  8. Periodic hardware and software tests for the biometric data system shall be conducted.

Administrative Measures: 

  1. An alternative system shall be provided without any restrictions or additional costs for the data subjects whose biometric data cannot be processed; 
  2. An action plan shall be established for the cases where an authentication by biometric methods cannot be fulfilled;
  3. Access authorizations shall be defined, access control matrixes shall be established and documented;
  4. Tailor made trainings on the processing of biometric data shall be given to the personnel involved in the processing of biometric data and such trainings shall be documented;
  5. A formal reporting procedure shall be established for the employees to report possible security gaps in the systems and services and
  6. An emergency procedure shall be implemented to be used in the event of a data breach and everybody concerned shall be announced.

You can access the full Turkish text of the Principal Decision via the link below.