Turkish Data Protection Authority publishes guideline on the processing of biometric data

Turkey

On 17 September 2021, the Turkish Data Protection Authority published the Guide to the Processing of Biometric Data, which describes the principles to be followed when processing biometric data that are considered "sensitive data" under the Turkish Data Protection Law.

Principles of the processing of biometric data

The Data Protection Authority has noted the following with regard to the processing of biometric data:

  • The data controller should respect the following principles when processing biometric data:

  • The essence of the fundamental rights and freedoms of the data subject should not be compromised;

  • The nature of the processing activity must be suitable for achieving the objective pursued by the processing activity;

  • The nature of the processing activity must be necessary for the achievement of the objective pursued by the processing activity;

  • The nature of the processing must be proportionate to the aim pursued by the processing;

  • The biometric data processed may only be stored for as long as necessary and must then be destroyed or deleted without delay;

  • Data controllers must comply with the information obligations set out in the Law; and

  • Where processing is based on explicit consent, such consent must be given in accordance with the Law.

  • Compliance with the above principles should be recorded and documented by the data controller.

  • Genetic data, such as blood and saliva, should not be collected when collecting biometric data unless absolutely necessary.

  • The reason for the decision to process a certain type of biometric data (e.g. iris information, fingerprints, etc.) instead of other types of biometric data should be explained and documentation should be provided to the data subjects.

  • The longest duration for the processing of biometric data must be specified. Furthermore, the controller should explain the time limit and the reasons for storing the data in the personal data retention and destruction policy.

Technical and organisational measures

With regard to the processing of biometric data, the Directive requires several technical and organisational measures to be taken by the data controller, including

Technical Measures

  • Biometric data should be encrypted using cryptographic methods that provide sufficient security;

  • Biometric data can only be stored in cloud systems if cryptographic methods are used for protection;

  • Derived biometric data (türetilmiş biyometrik veri) should be stored in such a way that the original biometric data embedded in these derived biometric data are not accessible;

  • Before setting up a data processing system and when making changes to such a system, the environment set up should be tested with synthetic data and data controllers should refrain from using actual biometric data for testing this system;

  • Data controllers are required to use certified devices and licensed and up-to-date software that erases biometric data, alerts the system administrator, and generates a report in the event of unauthorized access to the system;

  • The useful life of the devices that process data should be observable;

  • The controller should be able to monitor and restrict user actions in the biometric data processing software; and

  • Hardware and software tests of the biometric data system shall be carried out at regular intervals.

Organizational measures

  • For individuals who cannot use biometric solutions (e.g. biometric data that cannot be captured or read, obstacles that make it difficult to use, etc.) or who have not explicitly consented to the processing of their biometric data, alternative systems for data processing should be available without additional costs or restrictions;

  • An action plan should be established for cases where identity authentication by biometric methods is not possible or not successful;

  • Staff involved in the processing of biometric data should be specifically trained and it should be documented whether staff have received such training;

  • A mechanism for access to biometric data systems for authorised persons should be established and properly managed;

  • A formal reporting procedure should be established to enable relevant personnel to report potential security vulnerabilities and associated risks; and

  • The data controller should establish a contingency procedure in the event of a data breach and inform all data subjects of this policy.

Conclusion

As the importance of biometric data becomes evident with the increase of biometric identity authentication methods and the advancement of wearable technology, the implementation of specific measures to protect such data has become necessary. For this reason, the Authority has published the Guideline, which sets out specific measures for the control and security of biometric data.

For more information about this Guideline and data security in Turkey, please contact your regular CMS consultant or local CMS experts Dr. Döne Yalçın or Sinan Abra.