Legal AlertThe Personal Data Protection Board Has Published a Breach Decision Regarding Processing of the Data Subject’s ‘Hand Geometry’ Information to Access the Service Building of an Enterprise by the Data Controller without Explicit Consent .

6 October 2022
The decision of the Personal Data Protection Board (“Board”) dated 07.07.2022 and numbered 2022/667, regarding processing of the data subject’s ‘hand geometry’ information to access the service building of an enterprise by the data controller company (“Data Controller”) without explicit consent (“Decision”) has been published.
In summary, the data subject submitted a complaint to the Personal Data Protection Authority (“Authority”), and stated the following;
The data subject had to put his hand on a device and log in his password to access the service area, therefore the palm and fingerprints of the data subject were scanned without a legally valid explicit consent. The data subject applied to the Data Controller in accordance with the Personal Data Protection Law No. 6698 (“Law“), but the response given was found insufficient and it was requested from the Authority to take the necessary action.
In the defence received on the subject, the Data Controller stated that,
  • At the entrance of the enterprise, a private password is taken from the people alongside their hand geometry with the help of a device called “Hand Geometry Terminal,” and that this is a different system from fingerprint and palm scanning,
  • While the fingerprint and palmprint are unique for each person, hand geometry only includes data such as the length of the fingers and the distance between the joints, therefore it is personal data rather than special categories of personal data since it cannot be used to identify someone on its own,
  • Collection of such data was necessary to prevent abuse of the subscription.
In the examination conducted on the subject, the Board;
  • Firstly, drew attention to the fact that it is stated in Article 6 titled “Conditions for Processing Special Categories of Personal Data” of the Law, that “biometric and genetic” data are determined as special categories personal data, and that it is prohibited to process special categories of personal data without the explicit consent of the data subject.
  • Stated that the name of the said device is “… Biometric Hand Terminal,” and that the indispensable feature of hand geometry reading technology, which is a biometric system, is to obtain accurate results, and the margin of error in this device is 1/101.559.956.668.416.
  • The Board also stated that in the decision no. 2014/4562 of the 15th Chamber of the Council of State, it was stated that biometric systems include methods like fingerprint recognition, palm scanning, hand geometry recognition, and iris recognition;
  • In the Decision of the Constitutional Court dated 10.03.2022 with the application number 2018/11988, it is stated that biometric data is accepted as “special categories of personal data due to its importance because it contains biological or behavioral information on the data subject which enables a person to be distinguished from other persons and to identify the identity of the person;”
  • There is no lawful basis for processing s special categories of personal data to ensure control at the entrances to the service building of the Data Controller, or for the use of biometric data-based systems in this context.

The Board decided to impose an administrative fine of TRY 100,000 on the Data Controller pursuant to subparagraph (b) of paragraph (1) of Article 18 of the Law, considering the fact that the personal data subject to the complaint is special categories of personal data, and that subscribers other than the complainant are also affected by the processing of special categories of personal data in violation of the Law.

You may reach the full Turkish text of the Decision via the link below.