Personal Data Protection Board Issued Infringement Decision Regarding Processing of Data Subject’s “Hand Geometry” Information to Access Business Build Service by Data Controller Without Explicit Consent – Data Protection data

To print this article, all you need to do is be registered or log in to

The decision of the Personal Data Protection Board (“Plank”) dated 07.07.2022 and numbered 2022/667, concerning the processing of the data subject’s “hand geometry” information to access the service building of a company by the company responsible for the processing (“Data controller”) without express consent (“Decision“) has been published.

In summary, the data subject has lodged a complaint with the Personal Data Protection Authority (“Authority”), and stated the following;

The person concerned had to put their hand on a device and log in with their password to access the service area. Therefore, the data subject’s palm and fingerprints were scanned without legally valid explicit consent. The data subject has contacted the data controller in accordance with Law No. 6698 on the protection of personal data (“Right“), but the answer given was considered insufficient and the Authority was asked to take the necessary measures.

In the defense received on this subject, the data controller stated that,

  • At the entrance of the company, a private password is obtained from the people next to their hand geometry using a device called “Hand Geometry Terminal”, and that it is ‘a system different from fingerprint and palm scanning,

  • Although the fingerprint and the palm print are unique for each person, the hand geometry only includes data such as the length of the fingers and the distance between the joints. It is therefore personal data rather than special categories of personal data because it cannot be used to identify someone. all alone,

  • The collection of this data was necessary to prevent misuse of the subscription.

In the examination carried out on the subject, the Board;

  • Firstly, drew attention to the fact that it is stipulated in article 6 entitled “Conditions for the processing of special categories of personal data” of the law, that “biometrics and genetics” the data is determined as special categories of personal data, and that it is prohibited to process special categories of personal data without the explicit consent of the data subject.

  • Said that the name of said device is “… Biometric Hand Terminal”, and that the indispensable feature of hand geometry reading technology, which is a biometric system, is to obtain accurate results, and the error margin of this device is 1/101.559. 956.668.416.

  • The Council also stated that in decision no. 2014/4562 of the 15th Chamber of the Council of State, it was stated that biometric systems include methods such as fingerprint recognition, palm scanning, hand geometry recognitionand iris recognition;

  • In the decision of the Constitutional Court of 10.03.2022 with the application number 2018/11988, it is stated that biometric data are accepted as “special categories of personal data because of their importance because they contain biological or behavioral information about the person concerned which makes it possible to distinguish a person from other persons and to identify the identity of the person; »

  • There is no legal basis for the processing of special categories of personal data in order to provide control at the entrances to the service building of the data controller, or for the use of systems based on biometric data in this context.

The Council decided to impose an administrative fine of TRY 100,000 on the controller in accordance with subparagraph (b) of paragraph (1) of Article 18 of the Law, taking into account that the personal data subject of the complaint are special categories of personal dataand that subscribers other than the complainant are also affected by the processing of special categories of personal data in violation of the law.

You can access the full Turkish text of the decision via the link below.

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.

POPULAR ARTICLES ON: Privacy from Turkey

Why TikTok can be fined £27m by the ICO

Preiskel & Cie

The UK data protection regulator, the Information Commissioner’s Office (“ICO”), has issued a “Notice of Intent” to Tiktok. This notice is a precursor to the imposition of a potential £27m fine…

Comments are closed.