Turkish Personal Data Protection Authority (“DPA”) published the Guideline on Matters To Be Considered When Processing Biometric Data (“Guideline“) on 17 September 2021. Within the scope of this Guideline, the purpose and importance of the Turkish Law on the Protection of Personal Data (“DPL”) is reminded in accordance with the framework of the fundamental rights and freedoms of individuals, especially the “privacy of private life”. Also, the scope of special categories of personal data has been expressed and the biometric data was defined.

One important aspect to point out at the beginning is that, when defining the biometric data in the Guideline, DPA refers to the EU’s General Data Protection Regulation. In this respect, data must meet the following conditions to be considered as biometric data:

·Distinctive features of the individual, such as physiological, physical or behavioral characteristics, should be ascertained from the data processing,

·The ascertained features must be personal data that serve to identify the individual or verify the individual’s identity.

Within the scope of these criteria, the DPA has defined biometric data as data that people cannot forget, generally do not change for a lifetime and can be obtained effortlessly without the need for any intervention. Through the use of biometric data, it becomes easy to distinguish individuals from each other and the possibility of confusion is almost completely eliminated.

In this context, biometric data is divided into two categories as physiological and behavioral data. While biometric data such as fingerprint, retina, palm, face, hand shape and iris constitute physiological biometric data; biometric data such as the person’s walking style, the way he/she presses the keyboard and driving style constitute behavioral biometric data.

In the Guidelİne, by referring to its previous decisions, the DPA states that each case must be evaluated individually. In order to make sure that the Guideline is useful, the DPA examines “Biometric Data Processing Principles” and “Biometric Data Security” in detail.

Biometric Data Processing Principles

1-The data controller can process biometric data in accordance with the general principles set forth in Article 4 and the conditions set forth in Article 6 of the DPL, but in accordance with the principles set forth below. In this context;

·Biometric data processing activities are also subject to the fundamental rights and freedoms regime and the processing activity should not violate the essence of fundamental rights and freedoms.

·The method must be suitable for achieving the purpose of processing, and the data processing activity must be suitable for the purpose to be aimed.

·The biometric data processing method must be necessary for reaching the objective. Biometric data processing must be mandatory and necessary. If there is a less intrusive way to achieve such purpose, processing would be deemed as unnecessary.

·In each concrete case, “proportionality” must be evaluated. Proportionality is choosing the most suitable means of processing if there are more than one means.

·It is necessary to keep data for as long as necessary, and after the necessity ceases, data must be destroyed without delay/immediately.

·Data controllers are required to fulfill their obligation to inform data subjects within the purpose of processing in accordance with Article 10 of the DPL.

·If explicit consent is required, the explicit consent of the data subjects must be obtained in accordance with the DPL. According to the DPL, consent must be an “explicit/active declaration of intent” and must be (i) relevant to the particular subject for which data are processed, (ii) informed, and (iii) freely given. Also, it must not be presented as a prerequisite for the provision of a service.

The DPA recommends documenting compliance with the above-mentioned issues. Further, the DPA states that choosing the right kind of biometric data is also important and the reasons behind choosing a specific biometric data type(s) over others must be documented. Lastly, the DPA states that while collecting biometric data, genetic data should not be collected unless strictly necessary.

Biometric Data Security

In addition to these principles, the DPA provides the organizational and technical measures to provide security of biometric data in the Guideline. In this regard, it is stated that the measures that specified in the DPA’s “Adequate Measures to be taken by Data Controllers in the Processing of Sensitive Personal Data” decision numbered 2018/10 and dated 31/01/2018 must be taken. Also, additional measures that are specific for processing of biometric data were set forth.

1- Technical Measures

·Biometric data should be stored in cloud systems only by using cryptographic methods. The encryption and key management policy should be clearly defined.

·Derived biometric data should be stored in a way that does not allow the recovery of the original biometric feature.

·Before installing the system and after any changes, data controller should test the system through synthetic data (unreal) in the test environments to be created.

·Measures that warn the system administrator against unauthorized access and/or report and delete biometric data should be implemented.

·Data controller should use certified equipment, licensed and up-to-date software in the system, prefer open-source software and make the necessary updates in the system in a timely manner.

·The lifetime of devices that process biometric data should be monitored.

·Data controller should be able to monitor and limit user actions on the software.

·Hardware and software tests of the biometric data system should be done periodically.

2- Organizational Measures

·An alternative system should be provided for individuals who do not use the biometric solution (handicap situation that makes it difficult to use, impossible to save or read biometric data etc.).

·An action plan should be established in case of failure to authenticate with biometric methods.

·Access mechanism to biometric data systems of authorized persons should be established, managed and those responsible should be identified and documented.

·Relevant personnel must be trained, and the training must be documented.

·A formal reporting procedure should be established in order to report possible security vulnerabilities and threats that may arise as a result of such vulnerabilities.

·An emergency procedure to be implemented in the event of a data breach should be established and announced.