The Turkish Personal Data Protection Board (“Board”) published on 16 September 2021, a Guideline on Processing of Biometric Data (“Guideline”). In particular, the Guideline defines biometric data, how it is processed, the principles that shall be followed during processing, and the measures that shall be taken.

First, the Guideline stated that biometric data, which is considered as one of the special categories of personal data in Article 6 of the Law on Protection of Personal Data No. 6698 (“Law”), titled "conditions for the processing of special categories of personal data", has not been comprehensively defined in the legislation published to date. In this context, the Guideline has defined biometric data in the light of judicial decisions and the definitions set in the European Union General Data Protection Regulation (“GDPR”). Based on these definitions, it has been explained that "biometrics" expresses the physical or behavioral characteristics of human beings, and that biometric data is personal, unique, and distinct.

In addition, the Board explained that biometric data is data that people cannot forget, generally do not change for life, and can be obtained effortlessly without the need for any intervention and divided biometric data into two categories as physiological and behavioral biometric data. In this context, biometric data of a person such as a fingerprint, retina, palm, face, hand shape, iris constitute physiological biometric data, and biometric data such as person's gait, keystroke style, car driving style constitute behavioral biometric data.

Moreover, the Guideline notes that data controllers will be able to process biometric data in accordance with the general principles and conditions outlined in Articles 4 and 6 of the Law. In this context, to clarify the issues of biometric data processing, it is necessary to provide principles in accordance with the Guideline prepared on the issues to be considered in the processing of biometric data, which is considered as special category personal data in Article 6 of the Law. The principles to be followed in the processing of biometric data in accordance with the Guideline are as follows:

- The core of fundamental rights and freedoms shall not be infringed upon by biometric data processing activities.

- The method used for biometric data processing should be suitable for achieving the purpose of processing and the biometric data processing activity should be suitable for the purpose to be achieved.

- The biometric data processing method should be necessary for the purpose to be achieved.

- The purpose and means to be achieved by biometric data processing shall be proportionate. 

-Biometric data should be kept for as long as necessary, and after the necessity disappears, the said data should be destroyed without delay or immediately.

-Data controllers shall fulfill the obligation to inform per Article 10 of the Law, limited to the purpose of processing.

-If explicit consent is required, the explicit consent of the data subjects shall be obtained per the Law.

In addition, the documents showing that all the principles specified in the Guideline are met should be recorded by the data controller. It is also stipulated in the Guideline that genetic data should not be taken while biometric data is obtained if it is not necessary. Moreover, the necessity of providing reasons and documents as to why the preferred type or types of biometric data was chosen over the others was also stated in the selection of the type or types of biometrics. Finally, all types of biometric features should be processed for the required period and the reasons for how long the said data will be kept should be explained by the data controller in the personal data retention and destruction policy.

The Guideline stipulates that to ensure the security of biometric data, data controllers who process biometric data shall also take the measures specified in the Board's "Adequate Measures to be taken by Data Controllers in the Processing of Special Categories of Personal Data" decision and previous guides, apart from laws, regulations, and communiqués. 

In addition to the data security measures in the aforementioned regulations and guides, the Guideline brings additional measures regarding biometric data processing:

Technical measures

-Biometric data shall be stored in cloud systems using only cryptographic methods.

-Derived biometric data should be stored in a way that does not allow the recovery of the original biometric feature.

-Biometric data and its templates should be encrypted per current technology, with cryptographic methods that will provide adequate security. The encryption and key management policy should be clearly defined.

-The data controller should test the system with synthetic data in test environments to be created before installing the system and after any changes.

-The data controller should limit the use of biometric data in the studies to be carried out for testing purposes and all data should be deleted at the end of the tests at the latest.

-The data controller should implement measures that warn the system administrator and/or delete and report biometric data in case of unauthorized access to the system.

-The data controller should use certified equipment, licensed and up-to-date software in the system, prefer open-source software primarily and make the necessary updates in the system on time.

-The lifetime of devices that process biometric data should be traceable.

-The data controller should be able to monitor and limit user actions on the software that processes biometric data.

-Hardware and software tests of the biometric data system should be performed periodically.

Organizational measures

-An alternative system should be provided, without any restrictions or additional costs, for interested persons who cannot or do not have explicit consent to use the biometric solution.

-An action plan should be established in case of failure or inability to authenticate with biometric methods.

-A mechanism for authorized persons to access biometric data systems shall be established and managed, and the persons responsible for these systems shall be identified and documented.

-Personnel involved in biometric data processing should receive special training on the processing of biometric data and such training should be documented.

-A formal reporting procedure should be established so that employees can report possible security vulnerabilities in systems and services and threats that may arise as a result of such vulnerabilities.

-The data controller should establish an emergency procedure to be implemented in the event of a data breach and announce it to everyone concerned.

Simge Kılıç, Esra Temur