Personal data, one of the most discussed topics in the legal world, is protected in many countries, and it is regulated in Turkey under the Personal Data Protection Law, number 6698 (the “Law”), and secondary legislation. In addition, the decisions of the Personal Data Protection Board established under the Law (the “Board”), provide insight on the rules applicable to data controllers and processors.
There are several general principles in the Law related to the processing of both personal and “sensitive” personal data, with decisions of the Board helping to determine the necessary degree of compliance with them. Biometric data, such as fingerprint, face, and DNA information, is considered sensitive personal data, the processing of which is subject to strict conditions and additional measures. The most important principle applied to processing of sensitive personal data is that it be “relevant, limited, and proportionate to the purposes of processing.
The Board’s decisions in cases where data controllers providing sports club services processed members’ biometric data are instructive. In these decisions, the Board determined that obtaining the biometric data (related to palm prints) of members who wish to access sports club services is incompatible with the “being relevant, limited, and proportionate to the purposes of processing” principle, since it was possible to control their access by alternative means. As a result, the Board imposed administrative fines on the data controllers and instructed them to control access by alternative means and cease the processing of biometric data.
State Council rulings related to biometric data processing are also instructive. The most important decision for these purposes concerns the rejection of an employee’s claim requesting the termination of a face-scanning system used to track employee shifts. The Administrative Court rejected the claim of the employee as: (i) the relevant method was not used in all units; (ii) the system was put in practice after the employer had encountered difficulties using alternative means to control of the employees’ shifts and, (iii) the face scans of employees were converted into digital codes. However, and despite the Administrative Court’s ruling, the State Council deemed the usage of face scanning a breach of right of privacy as not “relevant, limited, and proportionate to the purposes of processing” principle.
Thus, although there is no established precedent for the usage of biometric data processing systems, the Board and State Council’s decisions demonstrate that the principle that the use of sensitive personal data be “relevant, limited, and proportionate to the purposes of processing” is of the highest importance. Therefore, data controller companies using systems that process biometric data, especially for the purposes of tracking personnel or building security, should evaluate whether there is a reasonable balance between the use of these systems and the benefit intended. As it is not yet clear which conditions the Board will accept as being in full compliance with the above-stated principles, data controllers are encouraged to apply additional administrative and technical measures set out in the Law and in compliance with the Board’s decisions. In the upcoming days, one can expect the conditions in which biometric data can be lawfully processed to become clearer as the Board’s decisions accumulate.
By Derya Apaydin, Partner, and Ecem Yildirim, Associate, Apak | Uras
This Article was originally published in Issue 7.8 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.