The Personal Data Protection Authority Published the “Guiding Principal Decision on Matters to be Considered in Processing of Biometric Data”.
|The Personal Data Protection Authority (“Authority”) published the “Guiding Principal Decision on the Matters to be Considered in Processing of Biometric Data” (“Principal Decision”) on its website on 16.09.2021.
The Principal Decision primarily states the relevant article of the Personal Data Protection Law No. numbered 6698 (“PDP Law”) on the special categories of personal data and the definition of biometric data under Article 4 of the European Union General Data Protection Regulation (“GDPR”). Afterwards, the Principal Decision provides a definition of the biometric data as the “data that is impossible for people to forget, does not change for life, and is effortlessly owned without the need for any intervention” based on the definitions stated under the judicial decisions before the adoption of the PDP Law.
According to the Principal Decision, while biometric data such as the fingerprint, retina, palm, face, hand shape, and iris of a person constitute the physiological biometric data; biometric data such as the person’s walking and driving style, and the way of pressing the keyboard constitute the behavioural biometric data.
As stated by the Principal Decision, in the processing of biometric data, existence of the biometric data processing conditions and complying with the general principles under Article 4 of the PDP Law should be a must. The Principal Decision also emphasizes the importance of making evaluations within the frame of the concrete case apart from fulfilling the conditions stipulated under the PDP Law on determining whether the biometric data is processed. At this point, in the light of the Personal Data Protection Boards’ (the “Board”) Decision numbered 2019/81 and the Summary Decision numbered 2019/165, it is stated under the Principal Decision that the Board has certain judgement on the matters of explicit consent and proportionality, but different judgements can be made in different cases where the concrete case requires to do so, to the extent that it is in compliance with the PDP Law.
Pursuant to the Principal Decision, in accordance with the general principles set forth under Article 4 of the PDP Law, and the conditions set forth under Article 6 of the PDP Law, data controller shall only be able to process biometric data in compliance with the following principles:
Apart from these principles, data controller;
It is stated under “Biometric Data Security” title of the Principal Decision that the data controllers processing biometric data shall pay attention to the regulations related to the personal data security, stated under the regulations, communiques, and the Board Decisions. Within this frame, it is mentioned that the measures specified in the Board’s Decision numbered 2018/10 on “Adequate Precautions to be Taken by Data Controllers in the Processing of Special Categories of Personal Data” shall be taken.
Finally, the Principal Decision, apart from the measures stated under the Board Decision numbered 2018/10, specifies the technical and administrative measures required to be taken by the data controller as follows.
You can access the full Turkish text of the Principal Decision via the link below.