Processing of Biometric Data in Terms of KVKK and GDPR

CottGroup
9 min readMar 1, 2024

--

Personal Data is any data relating to an identified or identifiable natural person. The Personal Data Protection Law (KVKK) defines “personal data” as follows. KVKK, which entered into force in 2016 and is a law that can be said to be young, makes many regulations in this regard. Issues such as personal data and processing of personal data are stipulated in this law. The purpose of the KVKK is stated in the first article as “The purpose of this Law is to protect fundamental rights and freedoms of persons, particularly the right to privacy, with respect to processing of personal data and to set forth obligations, principles and procedures which shall be binding upon natural or legal persons who process personal data.” With the regulations made in line with this purpose, KVKK has also examined the processing of personal data by grouping them. While the conditions for the processing of personal data are analysed in Article 5, the “ Conditions for processing of Special categories of personal data” are included in Article 6. Biometric data is also mentioned in this article. For this reason, it should be said that biometric data are special categories of personal data.

Although Biometric Data is mentioned and protected in the KVKK, it is not a defined concept. KVKK has made the following definition for special categories of personal data in the article titled “Conditions for processing special categories of personal data”; “Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data.” Accordingly, biometric data are special categories of personal data. Special categories of personal data, as seen in the Authority’s own statements, are data that may cause discrimination or victimisation of the data subject if they are learned. Therefore, they should be carefully protected. The processing of special categories of personal data is also subject to special conditions by the KVKK.

The European Union General Data Protection Regulation defines biometric data. This definition is quite comprehensive. Article 4 of the Regulation defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”. Dactyloscopy, which is a little-heard word in this definition, means “method of identification based on fingerprints”. With biometrics, physical or behavioral characteristics of a person are expressed. Accordingly, as explained in the Guide on the Issues to be Considered in the Processing of Biometric Data published by the Personal Data Protection Authority, these personal data should reveal the distinctive features of the person such as physiological, physical or behavioral characteristics as a result of data processing; The features revealed must be personal data that serves to identify or verify the identity of the person.

As can be understood from the explanations made so far, biometric data is human-specific and personalized data. They are unique and usually do not change for a lifetime. People have their biometric data without any effort. This data clearly distinguishes people from other people. For example, features such as a person’s fingerprint, signature, gait, bicycle or keyboard usage, voice, face shape, etc. are biometric data. In addition, in the Guide, these data are divided into behavioral and physiological data. While data such as fingerprints, retinas, palms, and faces are physiological, data such as walking, driving, and pressing the keyboard are behavioral biometric data. Physiological data is in our body and always with us.

Biometric datas are used in many areas. For example, a signature is a biometric data and our signature is used to perform many necessary transactions in our daily life. The subject where our signature is used may be a house rental contract, an art course membership. In addition, data such as fingerprints or even our face shape can be requested from us at the entrance to the places where we are members. In this way, the identity of the person logging in is fully verified. Various electronic devices also have such systems. In this way, people other than the selected people are prevented from accessing the systems. As can be seen, the points where biometric data are processed are expanding day by day. However, the importance of the processing methods and conditions is increasing.

When it comes to the processing of biometric data, we need to address the processing conditions of special categories of personal data. These conditions are set out in Article 6 of the KVKK. First of all, it should be emphasised that it is prohibited to process sensitive personal data without the explicit consent of the data subject. Subsequently, it is mentioned how the data can be processed without explicit consent. According to the article, “Personal data, except for data concerning health and sexual life, listed in the first paragraph may be processed without seeking explicit consent of the data subject, in the cases provided for by laws.” Accordingly, biometric data can also be processed in cases stipulated by law without explicit consent. In any case, the general principles regulated in Article 4 of the Law must be complied with. These principles are listed in the law as follows;

  • “Lawfulness and fairness.
  • Being accurate and kept up to date where necessary.
  • Being processed for specified, explicit and legitimate purposes.
  • Being relevant, limited and proportionate to the purposes for which they are processed.
  • Being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed.”

These principles are the principles to be followed in data processing.

In addition, in the Guide on the Issues to be Considered in the Processing of Biometric Data (In Turkish) published by the Personal Data Protection Authority, the section titled “Data Processing Principles” explains in detail how to process biometric data. The first article of this title states that “The data controller will be able to process biometric data in accordance with the general principles in Article 4 of the Law and the conditions set out in Article 6, but only in line with the following principles.” These principles are listed as follows:

  1. It does not touch the essence of fundamental rights and freedoms
  2. The method applied is suitable for achieving the purpose of processing, the data processing activity is suitable for the purpose to be achieved
  3. Biometric data processing method is necessary for the purpose to be achieved
  4. Finding a proportion between the purpose and the means to be achieved by data processing
  5. Keeping it for as long as necessary, destroying the data in question without delay / immediately after the necessity disappears
  6. Limited to the purpose of processing; Fulfillment of the obligation of data controllers to inform in accordance with Article 10 of the Law
  7. If explicit consent is required, the explicit consent of the data subjects must be obtained in accordance with the Law

Again, according to the Guide, the data controller must certify that all these are provided. In addition, the Guidelines warn that genetic data (blood, saliva, etc.) should not be taken when collecting biometric data unless necessary. In the selection of the type or types of biometrics (iris, fingerprint, vascular network of the hand, etc.), justifications and documents should be provided as to why the preferred type or types of biometric data were chosen over others. In addition, in the Guide, “In accordance with the principle of retention for the period stipulated in the relevant legislation in subparagraph (d) of the first paragraph of Article 4 of the Law or required for the purpose for which they are processed, the maximum period for the processing of personal data should be determined. In this context, there may be periods arising from the legislation in determining the periods, as well as periods that are not due to the legislation but to be determined by the data controllers. However, all types of biometric features (raw and derived records, etc.) must be processed for the required period of time; How long the data in question will be kept should be explained by the data controller in the personal data retention and destruction policy, together with the reasons.”

In addition, the technical and administrative measures to be taken to ensure data security are listed in the Guide as follows:

1. Technical Measures:

  1. Biometric data should only be stored in cloud systems using cryptographic methods.
  2. Derived biometric data should be stored in a way that does not allow the original biometric feature to be obtained again.
  3. Biometric data and templates should be encrypted with cryptographic methods that provide sufficient security in accordance with current technology. Encryption and key management policy must be clearly defined.
  4. The data controller must test the system by means of synthetic data (not real) in test environments to be created before installing the system and after any changes.
  5. The data controller must limit the use of biometric data to what is necessary for testing purposes. All data must be deleted at the end of the tests at the latest.
  6. The data controller must implement measures to alert the system administrator and/or delete and report biometric data in case of unauthorised access to the system.
  7. The data controller should use certified equipment, licensed and up-to-date software in the system, prefer open source software as a priority and make the necessary updates to the system on time.
  8. The lifetime of devices that process biometric data must be traceable.
  9. The data controller should be able to monitor and limit user operations on the software that processes biometric data.
  10. Hardware and software tests of the biometric data system should be performed periodically.

2. Administrative Measures:

  1. An alternative system should be provided without any restrictions or additional costs for those who cannot use the biometric solution (impossible to record or read biometric data, handicap making it difficult to use, etc.) or who do not have explicit consent to use it.
  2. An action plan should be established in case of inability or failure to authenticate with biometric methods (inability to verify an identity, lack of authorisation to enter a secure area, etc.).
  3. A mechanism for access to biometric data systems by authorised persons must be established, managed and the responsible persons must be identified and documented.
  4. Personnel involved in biometric data processing must receive special training on biometric data processing and such training must be documented.
  5. An official reporting procedure must be established for employees to report possible security vulnerabilities in systems and services and threats that may arise as a result of such vulnerabilities.
  6. The data controller must establish an emergency procedure to be implemented in the event of a data breach and announce it to everyone concerned.

Processing of Biometric Data in terms of GDPR

GDPR is the General Data Protection Regulation. It was published in 2016 and is a regulation in European Union law on data protection and privacy for individuals throughout the European Union and the European Economic Area.

Companies that are not located in the European Union must comply with the regulation if they want to do business with companies based in the European Union. Therefore, the processing of biometric data is not an insignificant issue in terms of GDPR. On the contrary, it is very important.

As we have already mentioned, Article 4 of the Regulation titled “Definitions” defines personal data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.” The conditions for processing are in Article 9 titled “ Processing of special categories of personal data”. The first paragraph of the Article states that “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.” In the continuation of the article, the cases where this article will not be applied are listed.

The concept of explicit consent is also mentioned here with the phrase “the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject”

In the continuation of the Article, the situations in which data may be processed are mentioned. In addition, according to paragraph 4 of the Article, Member States may continue to apply additional conditions, including limitations, or impose additional conditions in relation to genetic data, biometric data or health-related data. This paragraph also refers to the Member States’ own rules.

CONCLUSION

It is seen that biometric data has an important place in terms of both KVKK and GDPR. Although KVKK does not have sufficient regulation in the text of the law, the explanation on the subject has been expanded thanks to the guide published by the Authority. GDPR, on the other hand, has addressed the issue extensively by listing the exceptions in terms of processing in the text of the Regulation. In today’s world where technology is gradually developing and our data is processed, it is necessary to pay attention to this issue.

--

--

CottGroup

CottGroup® is a holistic service organization which offers a full range of consulting, outsourcing, technology, and training services in Turkey.