10 Aug, 2022

Considerations in Processing Biometric Data

biyolojik-veri-nedir

The Personal Data Protection Authority (“Authority”) published the Guidance (“Guide”) on the Matters to be Considered in the Processing of Biometric Data on September 17, 2021. In the Guide, it is stated that the biometric data definition of the General Data Protection Regulation (GDPR) of the European Union is the most comprehensive definition ever made in this field. Based on this definition, the Guide includes biometric data processing conditions and principles in accordance with the KVKK ("Law"). In this article, the issues that need to be considered in line with the Law and GDPR in the processing of biometric data are mentioned.

 

What is Biometric Data?

According to the definition of the European Union General Data Protection Regulation (GDPR), biometric data; “Personal data resulting from specific technical processing in relation to the physical, physiological or behavioral characteristics of a natural person, such as facial images or typewriter data, which enables or confirms the unique identification of a natural person.” As included in the definition of GDPR, in order for personal data to be biometric data;

  • Distinctive features such as physiological, physical or behavioral characteristics of the person should be revealed as a result of data processing,
  • The features uncovered must be personal data that serves to identify the person or verify the person's identity.

“Biometrics” refers to the physical or behavioral characteristics of the human, and biometric data is personal, unique and unique. Biometric data is data that people cannot forget, generally does not change for a lifetime, and is easily obtained without the need for any intervention. Thanks to the use of biometric data, it becomes very easy to distinguish people from each other and the possibility of confusion with each other is almost eliminated.

While biometric data such as fingerprint, retina, palm, face, hand shape, iris of the person constitute physiological biometric data; Biometric data such as the person's walking style, pressing the keyboard, and driving style constitute behavioral biometric data. 

Processing of Biometric Data in accordance with KVKK and GDPR

In the processing of biometric data, the existence of biometric data processing conditions and compliance with the general principles regulated in Article 4 of the Law are important. According to the third paragraph of Article 6 of the Law, "Personal data other than health and sexual life may be processed without seeking the explicit consent of the person concerned, in cases stipulated by the law." In this framework, biometric data will be processed in the cases stipulated by the laws if there is no explicit consent.

In addition, the general principles set out in Article 4 of the Law must always be complied with in the processing of biometric data. Article 4 of the Law titled "General Principles" stipulates that personal data can only be processed in accordance with the procedures and principles stipulated in this Law and other laws. However, in the processing of personal data; 

  • “Being in compliance with the law and honesty rules,
  •   Being accurate and up-to-date when necessary,Being accurate and up-to-date when necessary,
  •   Processing for specific, explicit and legitimate purposes, 
  •   Being connected, limited and restrained with the purpose for which they are processed, 
  •   To be kept for the period required for the purpose for which they are processed or stipulated in the relevant legislation,

It is regulated that it is mandatory to comply with the principles listed as follows.

In order to clarify the issues of biometric data processing, this Guideline Decision has been prepared regarding the issues to be considered in the processing of biometric data, which is considered as special quality personal data in Article 6 of the Law. The data controller will be able to process biometric data in accordance with the general principles in Article 4 of the Law and the conditions set forth in Article 6, but in line with the principles. 

Regarding the processing of biometric data in Article 9 of the GDPR, “Genetic data, biometric data, health-related data or The processing of data relating to the sexual life or sexual orientation of a natural person is prohibited.” phrase is included. However, there is no harm in processing biometric data if the person has explicit consent and/or in some exceptional cases listed in Article 9.

In Article 9/2 of the GDPR, it is listed that the personal data of the data subject can be processed with the explicit consent of the person and that there are some exceptional cases apart from the express consent. At the same time, the processing of biometric data is subject to certain restrictions on union or member state law.

When comparing data security in accordance with the Law and GDPR, it is stated in the Law that personal data can be processed in the light of certain principles without the explicit consent of the person, while the "explicit consent" requirement in the processing of biometric data in GDPR is mandatory, with certain exceptions. 

Biometric Data Security

Data controllers processing biometric data; It is obligatory to pay attention to the issues related to personal data security contained in laws, regulations, communiqués and board decisions. In this context, the data controller should take the necessary technical and administrative measures to ensure the security of the data, regarding the nature of the data and the possible risks that data processing may pose for the data subject. In addition to the data security measures in the aforementioned legislation and guides, data controllers should also take the following measures regarding biometric data processing.

Technical Measures:

  1. Biometric data should only be stored in cloud systems using cryptographic methods.
  2. Derived biometric data should be stored in a way that does not allow the recovery of the original biometric feature.
  3. Biometric data and its templates should be encrypted in accordance with current technology, with cryptographic methods that will provide adequate security. The encryption and key management policy should be clearly defined.
  4. Before installing the system and after any changes, the data controller should test the system through synthetic data (not real) in the test environments to be created.
  5. The data controller should limit the use of biometric data to what is necessary in the studies to be carried out for testing purposes. All data should be deleted at the end of the tests at the latest.
  6. The data controller should implement measures that warn the system administrator and/or delete and report biometric data in case of unauthorized access to the system.
  7. The data controller should use certified equipment, licensed and up-to-date software in the system, prefer open source software primarily and make the necessary updates in the system in a timely manner.
  8. The lifetime of devices that process biometric data should be traceable.

Administrative Measures: 

  1. An alternative system should be provided without any restrictions or additional costs for the persons who are unable to use the biometric solution (impossible to record or read biometric data, handicap situation that makes it difficult to use, etc.) or who do not have explicit consent to use it.
  2. An action plan should be established in case of failure or failure to authenticate with biometric methods.
  3. Access mechanism to biometric data systems of authorized persons should be established, managed and those responsible should be identified and documented. 
  4. Personnel involved in biometric data processing should receive special training on the processing of biometric data and such training should be documented.
  5. A formal reporting procedure should be established so that employees can report possible security vulnerabilities in systems and services and threats that may arise as a result of such vulnerabilities.
  6. The data controller should establish an emergency procedure to be implemented in the event of a data breach and announce it to everyone concerned.

Examples of KVKK Decision Summary Regarding the Processing of Biometric Data

Summary of the Decision of the Personal Data Protection Board on the Processing of Biometric Data at the Entrance-Exit of the Gymnasium

In the concrete case, the company providing the gym service (“data controller”) processed some special personal data containing biometric data such as the transition to the hand-scanning system in the entrance-exit control of its members and upon suspicion that this information was kept securely, a complaint was submitted to the Institution by the relevant persons.  

It has been determined that people can use the facility by scanning the palm prints brought to the sports club for the purpose of controlling the entrance and exit, and besides this system, the members who wish can benefit from the facility by showing their cards. Administrative sanctions against the data controller, since it was concluded that the palm scanning system meets the definition of biometric data, and that the use of a system containing biometric data at the entrance and exit of the facility, even if an optional right is offered in addition to this system, is against the proportionality principle of the Law. has been applied.

Summary of the Decision of the Personal Data Protection Board on the Processing of the "Hand Geometry" Information of the Relevant Person by the Data Controller in order to enter the Service Building of an Enterprise without Obtaining Express Consent

In summary, in the complaint submitted to the institution; In order to enter the service area of the person concerned while registering for a business, the palm and fingerprint information is scanned by the relevant company authorities and these data are processed in the company records, therefore, the palm and fingerprint of the person concerned are scanned without a legally valid express consent, after the contract is terminated. In accordance with the Law on the Protection of Personal Data No. (Law), it was stated that he applied to the data controller company, the data controller replied to the data subject, but the answer was insufficient, and it was requested that necessary action be taken on the subject.

It is stated that “hand geometry” information in the biometric data category of the person concerned is processed by the data controller without any of the processing conditions in Article 6 of the Law, therefore, the data controller has entered the number (1) of Article 12 of the Law. In terms of the violation of the obligation in the paragraph, the unfair content of all these issues and the fault, the fault of the data controller and the economic situation; Administrative sanctions have been imposed on the data controller, taking into account the fact that the personal data subject to the complaint is sensitive personal data, that a large number of people are affected by the fact that other subscribers' sensitive personal data is processed in violation of the Law, and that it interferes with the right to protect personal data.

Conclusion:

As stated in the definition of biometric data in GDPR, biometric data is data that provides or confirms the unique identification of a natural person. Since biometric data is important for the recognition of the person, the protection of biometric data is important for the persons concerned. At the same time, the processing of biometric data has been subjected to strict measures by the data processor. In the "Guide to Considerations in the Processing of Biometric Data" published by the Personal Data Protection Authority, it is explained what data the definition of biometric data covers, which principles should be processed in accordance with this data, and what measures should be taken to ensure data security. In the GDPR regulation, the conditions under which biometric data can be processed are clearly stated. Biometric data should be processed by data controllers in line with the “Guidelines” and “GDPR” and stored in line with the necessary precautions. 

When the cases that are the subject of the KVKK Decision Summaries are examined, some companies have fingerprints, face recognition, hand geometry, etc. in their employment. was found to have been taken. In order to process such biometric data, first of all, the relevant persons must be carefully informed and the explicit consent of the persons concerned must be obtained. Apart from this, it is clearly stated in the KVKK Decision Summaries that alternative solutions can be suggested when looking at the reason for the processing of biometric data and that biometric data cannot be processed in accordance with the principle of "proportionality".


To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.


 

About Content:
Share on Social Media:
Facebook
Twitter
LinkedIn
Telegram