Duyurular

Turkish Data Protection Authority Updates the Guideline on Considerations in the Processing of Biometric Data

The Guideline on Considerations in the Processing of Biometric Data (“Guideline”) prepared by the Data Protection Authority (“Authority”) has been updated.

Amendments to Article 6 of the Law on the Protection of Personal Data have been introduced by the Law on the Amendment of the Code of Criminal Procedure and Certain Laws published in the Official Gazette dated 12 March 2024 and numbered 32487. Through these amendments, the legal grounds for the processing of special categories of personal data have been expanded and aligned with the primary legal grounds for personal data processing set forth in Article 5.

In this context the Guideline has been revised in line with the amendment and the subheadings “Principles for Processing Biometric Data” and “Biometric Data Security” have been incorporated into the Guideline.

The updated Guideline can be summarized as follows:

  • According to Article 6 of the Law on the Protection of Personal Data, special categories of personal data includes information relating to individuals’ race, ethnic origin, political opinions, religion, sect, clothing, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions, security measures, and biometric and genetic data.
  • Although biometric data is not explicitly defined under the Law, the definition provided in Article 4 of the European Union General Data Protection Regulation (“GDPR”) is considered the most comprehensive definition in this field. According to the GDPR, biometric data refers to personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allows or confirms the unique identification of that person.
  • Biometric data is categorized into two types: physiological and behavioral. Physiological biometric data includes data based on an individual’s physical characteristics, such as fingerprints, iris, facial features, retina, and palm prints. On the other hand, behavioral biometric data consists of data relating to an individual’s behavioral traits, such as gait, typing patterns, and driving habits. These types of data are unique and specific to the individual, typically unchangeable over a lifetime, impossible to forget, and naturally inherent to the individual without the need for any external intervention.
  • In the processing of biometric data, compliance with the general principles outlined in Article 4 of the Law is of great importance. Furthermore, according to the third paragraph of Article 6 of the Law, the processing of special categories of personal data is, as a rule, prohibited. However, the processing of such data may be permitted under the following circumstances:

a) Data subject has given his/her explicit consent,

b) It is explicitly provided by laws,

c) It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid,

ç) It relates to personal data that have been made public by the data subject, and processing is in consistent with data subject’s intention to make such data public,

d) It is necessary for the establishment, exercise or protection of any right,

e) It is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and for the planning, management and financing of health-care services by persons subject to legal obligation of confidentiality or by competent public institutions and organizations,

f) It is necessary for the fulfilment of legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance,

g) It relates to the current or former members and affiliates of foundations, associations and other non-profit organizations established for political, philosophical, religious, or trade union purposes or to individuals who are in regular contact with these organizations, provided that such processing complies with the applicable legislation governing these organizations and their objectives is limited to the organizations’ fields of activity and does not involve disclosure of data to third parties.

  • The mere existence of legal grounds for processing biometric data is not sufficient; compliance with the general principles set forth in Article 4 of the Law is also mandatory in all cases. These principles include lawfulness and fairness, accuracy and up-to-dateness, purpose limitation, relevance and proportionality to the purpose of processing, and storage of data only for the period necessary for the purpose.
  • When assessing whether biometric data is being processed in compliance with the law, the specific circumstances of each case must be taken into account, and the evaluation must be made accordingly.
  • Under the section titled Biometric Data Security, it is emphasized that data controllers who process biometric data are required to strictly comply with the obligations set forth in the relevant legislation on personal data security, the decisions of the Board, and guideline documents. In this context, data controllers are obliged to implement the necessary technical and administrative measures by considering the nature of biometric data and the potential risks it may pose to the data subject. The Guideline provides examples of such technical and administrative measures that may be taken by data controllers.

You can access the full text of the Guideline (in Turkish) here.

Kind regards,

Zumbul Attorneys-at-Law

info@zumbul.av.tr

All information and documents on our website have been prepared by Zumbul Attorneys at Law for general informational purposes only, in accordance with the Attorneyship Law, other relevant legislation and the Professional Rules of Attorneyship of the Union of Turkish Bar Associations. These publications are not intended for advertising or commercial purposes. The information and documents provided are of a general nature and under no circumstances, do they guarantee or warrant that the content is complete, accurate, up-to-date, or reliable. You should not rely on the information and documents on this website without first consulting a lawyer or expert. The links included in our website’s publications are sourced from publicly available materials and are provided solely for the convenience of visitors in accessing additional information. These links do not constitute any form of recommendation or endorsement of the linked persons, institutions or organizations. The information on this website does not in any way constitute legal advice or establish an attorney-client relationship with visitors to the site. All content on this website is the property of by Zumbul Attorneys at Law, and no content may be copied, reproduced, or used without prior written permission.