Mon, Sep
54 New Articles

A Review of Biometric Data Processing Systems Usage Under the Personal Data Protection Law and Secondary Legislation

Biometric Data Processing Systems

  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Personal data, one of the most discussed topics in the legal world, is protected in many countries, and it is regulated in Turkey under the Personal Data Protection Law, number 6698 (the “Law”), and secondary legislation. In addition, the decisions of the Personal Data Protection Board established under the Law (the “Board”), provide insight on the rules applicable to data controllers and processors.

There are several general principles in the Law related to the processing of both personal and “sensitive” personal data, with decisions of the Board helping to determine the necessary degree of compliance with them. Biometric data, such as fingerprint, face, and DNA information, is considered sensitive personal data, the processing of which is subject to strict conditions and additional measures. The most important principle applied to processing of sensitive personal data is that it be “relevant, limited, and proportionate to the purposes of processing.

The Board’s decisions in cases where data controllers providing sports club services processed members’ biometric data are instructive. In these decisions, the Board determined that obtaining the biometric data (related to palm prints) of members who wish to access sports club services is incompatible with the “being relevant, limited, and proportionate to the purposes of processing” principle, since it was possible to control their access by alternative means. As a result, the Board imposed administrative fines on the data controllers and instructed them to control access by alternative means and cease the processing of biometric data.

State Council rulings related to biometric data processing are also instructive. The most important decision for these purposes concerns the rejection of an employee’s claim requesting the termination of a face-scanning system used to track employee shifts. The Administrative Court rejected the claim of the employee as: (i) the relevant method was not used in all units; (ii) the system was put in practice after the employer had encountered difficulties using alternative means to control of the employees’ shifts and, (iii) the face scans of employees were converted into digital codes. However, and despite the Administrative Court’s ruling, the State Council deemed the usage of face scanning a breach of right of privacy as not “relevant, limited, and proportionate to the purposes of processing” principle.

Thus, although there is no established precedent for the usage of biometric data processing systems, the Board and State Council’s decisions demonstrate that the principle that the use of sensitive personal data be “relevant, limited, and proportionate to the purposes of processing” is of the highest importance. Therefore, data controller companies using systems that process biometric data, especially for the purposes of tracking personnel or building security, should evaluate whether there is a reasonable balance between the use of these systems and the benefit intended. As it is not yet clear which conditions the Board will accept as being in full compliance with the above-stated principles, data controllers are encouraged to apply additional administrative and technical measures set out in the Law and in compliance with the Board’s decisions. In the upcoming days, one can expect the conditions in which biometric data can be lawfully processed to become clearer as the Board’s decisions accumulate.

By Derya Apaydin, Partner, and Ecem Yildirim, Associate, Apak | Uras

This Article was originally published in Issue 7.8 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

Turkey Knowledge Partner

NAZALI offers a broad range of services in the fields of Tax, Audit, Corporate and Commercial Law, Mergers & Acquisitions, Corporate Finance, Banking, Finance and Capital Markets, Protective Legal Services and Dispute Resolution, Personal Data Protection and Privacy, Social Security and Labor Law, Occupational Health and Safety, Competition Law, Intellectual Property Law and R&D, Compliance and White-Collar Crimes, Administrative Law, Real Estate Law, Customs and Foreign Trade, Accounting and Payroll, Financial Incentives and Advisory Services and Public Administration and Compliance through its partners, associates and consultants of different seniorities who have both public and private sector experience.

What sets NAZALI apart from others is that NAZALI offers a truly comprehensive service to its clients with experts from different disciplines working collaboratively as a team under one roof enabling us to evaluate all dimensions of legal matters together with financial and technical matters.

The services that NAZALI provides to its clients include the most appropriate solution with the support of technical departments specialized in their fields. In this context, NAZALI associates are supported by NAZALI technical team and work alongside the experts in the fields of finance, social security and customs matters. NAZALI has set out with the aim of providing the most efficient and comprehensive solution for its clients by adapting to the developing conditions and happily gained the trust of its clients by never compromising the quality of service.

As conditions continuously evolve, NAZALI always aims to further itself remaining true to its motto “GROW WITH KNOWLEDGE” and has set out with the aim of providing the most efficient and comprehensive solution for its clients by adapting to the developing conditions and happily gained the trust of its clients by never compromising the quality of service.

Firm's website: http://www.nazali.com

Our Latest Issue