Guidance on issues to be taken into account in the processing of biometric data
On September 16, 2021, the Personal Data Protection Authority published the “AdvicetoQuestionsToto beTook into considerationinProcessingBiometricData” (Guidance “). This document mainly sets out the following issues:
The Law on the protection of personal data (the “Law”) entered into force by its publication in the Official Journal of 07.04.2016. Article 6 of this law governs the “Conditions for processing personal data of a particular nature”. According to this article, personal data of a special nature are; personal data relating to race, ethnic origin, political opinion, philosophical convictions, religion, sect or other belief, clothing, membership of associations, foundations or unions, health, sex life, beliefs and security measures, and biometric and genetic data.
Biometric data, which is determined as part of personal data of a special nature in law, is not comprehensively regulated in law. However, according to Article 4 of the EU General Data Protection Regulation, in order for personal data to be biometric, the distinctive characteristics of the person must emerge as a result of the data processing and these characteristics must be data. that are used to identify the person or to confirm the identity. of the person. According to this definition, biometrics is expressed in terms of human physical or behavioral characteristics, and this data is personal and unique. Physiological personal data; data such as a person’s fingerprint, retina, iris; the person’s walking and cycling are behavioral biometric data.
In the processing of biometric data, the conditions defined in the law must be fulfilled. According to article 6 of the law, it is prohibited to process personal data of a special nature without the explicit consent of the data subject. However, personal data, excluding personal data of a particular nature relating to health and sexual life, may be processed without the explicit consent of the person concerned, in the cases provided for by law. In this context, biometric data may be processed without the explicit consent of the data subject only if the processing is provided for by law. Otherwise, the explicit consent of the data subject is required for the processing of biometric data.
In subparagraph a) of the first paragraph of article 3 of the law entitled “Definitions”, Express consent is defined as“consentRelatedToacertainmatter,basedtoinformationandExpresswithfreewill”. In order for the express consent given for the processing of data to be valid, the express consent must first be given on a specific subject and limited to that subject. However, since explicit consent is a declaration of will, you also need to know what you are consenting to in order to consent freely. The person must have full knowledge not only of the purpose, but also of the consequences of his consent. Therefore, if the provisions regarding the processing of biometric data are expressly included in other laws, the provisions of the relevant laws will be applied. In addition, the general principles of article 4 of the law must be observed in the processing of such data. On the other hand, this Guide has been prepared to provide a legal basis for the issue of processing biometric data. The principles of biometric data processing and biometric data security are listed in the Guide.
The controller may process biometric data in accordance with the general principles of article 4 and the conditions set out in article 6 of the law. In addition, biometric data should be limited to the purpose of processing only if they do not affect the essence of fundamental rights and freedoms, the method used should be practical and necessary and the data processing activity should be suitable for the end to be achieved. In addition, there should be a proportion between the purposes and the means to be achieved with the data processing, it should be kept as long as necessary, the controllers should fulfill their obligation to inform in accordance with Article 10 of the law and if explicit consent is required, the explicit consent of the data subjects must be obtained in accordance with the law.
It must be documented by the controller that all the principles mentioned above are observed.
Unless necessary, genetic data should not be obtained when biometric data is obtained.
The choice of the type of biometrics should be explained with the reasons why it was chosen instead of other types.
The maximum duration of the processing of personal data must be determined. In addition, all kinds of biometric characteristics have to be processed for the required time.
Data controllers should pay attention to issues related to the security of personal data in legislation. In this regard, it is mandatory to take the measures specified in the Council decision on “AdequatePrecautionsToto beTakenthroughDataControllersintheProcessingoftheStaffDataofSpecialNature“. In this regard, the controller must take the necessary technical and administrative measures to ensure data security regarding the nature of the data and the possible risks in terms of person.
In addition to these, the controller must take the following administrative and technical measures in the processing of biometric data:
Biometric data must be stored in cloud systems using cryptographic methods.
The derived biometric data must be stored in such a way that re-acquisition of the original item is not allowed.
Biometric data must be encrypted with sufficient cryptographic methods to ensure adequate security. This encryption management must be clearly defined.
The data controller should test their system using non-real data. The use of biometric data for study reinforcement purposes should be limited to what is required and all data should be deleted no later than the end of testing.
The controller should take steps to notify the system administrator and / or remove and report biometric data in the event of unauthorized access to the system.
The data controller should use certified methods, licensed and up-to-date software in the system, prioritize open source software first, and make necessary updates in a timely manner.
The lifespan of the devices used must be traceable. In addition, hardware and software testing of the biometric data system should be performed periodically.
The data controller must be able to monitor and limit user actions on software that processes biometric data.
An alternative system should be provided, without any restrictions or additional costs, for those who cannot or do not have explicit consent to use the biometric solution.
An action plan must be established in the event of biometric authentication or failure.
The mechanism for authorities’ access to biometric data systems should be established, managed and their responsibilities determined.
Staff involved in the processing of biometric data should receive special training on the processing of biometric data and this training should be documented.
A formal reporting procedure should be established so that employees can report potential security risks in the system and threats that may result from those risks.
The controller must establish an emergency procedure to be implemented in the event of a data breach and notify all those affected.
As explained above, this guide aimed to clarify in detail the processing of biometric data. While biometric data is to be processed in accordance with the law, data controllers must also comply with guidance rules.