THE GUIDLINE ON PROCESSING BIOMETRIC DATA

On 17th September, 2021 The Guideline on Processing Biometric Data has been published by the Turkish Personal Data Protection Authority (DPA). The guideline contains the definition of biometric data, how data is processed, the principles to be followed during data processing and the measures to be taken.

In article 6 of the Personal Data Protection Law (“Law“) titled “Conditions for the processing of personal data of special nature”, the biometric and genetic data are counted as sensitive personal data. Biometric data, which is considered as a personal data of special nature by the Law, has not been defined comprehensively in the legislation until this guideline. Biometric data is the  “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, such as facial images or dactyloscopy data, which enables to recognize or confirms the unique identification of a natural person”  according to the guideline.

Biometric data is data that people do not forget, does not change for a lifetime, and is easily obtained without the need for any intervention. In biometric data processing, the existence of biometric data processing conditions and compliance with the general principles set out in article 4 of the Law is important. According to the third paragraph of article 6, it is possible to process personal data other than health and sexual life without seeking the explicit consent of the person concerned, in cases stipulated by the laws. 

According to the guideline, the data controller will be able to process biometric data under the general principles in article 4 of the Law and the conditions set out in Article 6, but in line with the following principles:

  • Not to touch the essence of fundamental rights and freedoms,
  • The method used is suitable for achieving the purpose of processing, the data processing activity is suitable for the purpose to be achieved,
  • Biometric data processing method is necessary for the purpose to be achieved,
  • It must be proportional between the purpose and the tool to be achieved by data processing,
  • It must be kept only for as long as necessarydestroying the date immediately after the necessity disappears without delaying,
  • The data controllers fulfill their obligation to inform, 
  • If explicit consent is required, the explicit consent of the individuals concerned has been obtained under the Law.

According to the guideline, the fact that all principles are provided must be recorded and documented by the data controller. Unless necessary, genetic data (blood, saliva, etc.) have not to be taken while biometric data is being obtained. By the principle of keeping for the period required for the purpose for which they are processed or stipulated in the relevant legislation in subparagraph (d) of the first paragraph of Article 4 of the Law, the maximum period for the processing of personal data must be determined.   

In the data processing with special quality personal data; it is obligatory to take the measures specified in the DPA’s decision dated 31/01/2018 and numbered 2018/10 on " Adequate Measures to be Taken by Data Controllers in the Processing of Sensitive Personal Data ". In addition to the data security measures in the aforementioned legislation and guides, data controllers must also take the following measures regarding biometric data processing :

  • Biometric data must only be stored in cloud systems using cryptographic methods. 
  • Derived biometric data must be stored in a way that does not allow the recovery of the original biometric feature.
  • Biometric data and its templates should be encrypted with cryptographic methods that will provide adequate security. The encryption and key management policy should be clearly defined.
  • Before installing the system and after any changes, the data controller must test the system through synthetic data in the test environments.
  • The data controller must limit the use of biometric data to what is necessary for the studies to be carried out for testing purposes. All data must be deleted at the end of the tests at the latest. 
  • The data controller must implement measures that warn the system administrator and/or delete and report biometric data in case of unauthorized access to the system.
  • The data controller must use certified equipmentlicensed and up-to-date software in the system, prefer open-source software primarily, and make the necessary updates in the system on time.
  • The lifetime of devices that process biometric data must be traceable.
  • The data controller must be able to monitor and limit user actions on the software that processes biometric data.
  • Hardware and software tests of the biometric data system must be performed periodically.  

Administrative measures are as follows:          

  • An alternative system must be provided without any restrictions or additional costs for the persons who cannot use the biometric solution ( it is impossible to record or read biometric data, handicap situation that makes it difficult to use, etc.) or who do not have open consent to use it. 
  • An action plan must be established in case of failure or failure to authenticate with biometric methods (failure to verify identity, lack of authorization to enter a secure area, etc.).
  • Access mechanism to biometric data systems of authorized persons must be established, managed and those responsible must be identified and documented.
  • Personnel involved in biometric data processing must receive special training on the processing of biometric data and such training must be documented.   
  • A formal reporting procedure must be established so that employees can report possible security vulnerabilities in systems and services and threats that may arise as a result of such vulnerabilities.
  • The data controller must establish an emergency procedure to be implemented in the event of a data breach and announce it to everyone concerned.

You can find the full text here.

 

Kind regards,

Zumbul Attorneys-at-Law

info@zumbul.av.tr