• Preamble

Biometric data are frequently used for authentication or identification in practice as they are data that enable the recognition of unique and unchangeable distinctive features of individuals. However, since the processing of biometric data includes such special and unalterable qualities, it must not be abused and people shall be prevented from being harmed. For this reason, special conditions for processing special categorized biometric data are included in both the European Data Protection Regulation and the Law on Protection of Personal Data No.6698, which shall not be easily known and processed by everyone, and are subject to more stringent processing conditions with both regulations.

In this article, the regulations and practices of the Personal Data Protection Law No.6698 (“KVKK”) and the Regulation 2016/679 General Data Protection Regulation(“GDPR”) are analyzed comparatively regarding the processing of biometric data.

• What is Biometric Data?

In Art.4/14 of GDPR Biometric Data is defined as; “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”  In this definition, the two main features of biometric data are placed as the unique connection of biometric data with the data owner, as well as the need for a special processing method.

In the opinion of the  Article 29 Data Protection Working Party, the biometric data are detailed as follows; “These data may be defined biological properties, physiological characteristics, living traits or repeatable actions where those features and/or actions are both unique to that individual and measurable, even if the patterns used in practice to technically measure them involve a certain degree of probability. Typical examples of such biometric data are provided by fingerprints, retinal patterns, facial structure, voices, but also hand geometry, vein patterns or even some deeply ingrained skill or other behavioral characteristics (such as a handwritten signature, keystrokes, a particular way to walk or to speak, etc…)” According to this view, although biometric data carries both the biometric information of the person; It also refers to the special and unique connection that establishes between the person and biometric data. Therefore, when a data to be considered the biometric data that makes the person recognizable, it usually refers to data such as biometric photographs, fingerprints, retina, face shape, but biometric data is considered because the elements such as the signature of the person, and gait are unique.

• Principles of Processing Biometric Data as Special Categories of Data and Sensitive Data

The processing of biometric data is generally subjected to stricter requirements than the processing of other personal data since it provides a high level of distinctiveness between individuals.

Biometric data encodes the identities of individuals with their presence in a way that cannot be proved otherwise while making the features of the human body “machine-readable” and reusable. Sometimes biometric information from a person is stored and processed in a raw form that enables the recognition of the source without any special relationship, by methods such as taking a photo of a face directly, voice recording and fingerprinting. Moreover, this detection includes audio or video recording, etc. Even if the methods are used for the first time, they even make it possible to recognize the person remotely.

GDPR Article 9 includes the conditions for the processing of personal data in special categories in connection with the biometric data. If these conditions are met, it is possible to process a special order in accordance with the General principles.

According to KVKK, biometric data processing is subject to special categories of data processing conditions. If these conditions are met, it is possible to process personal data of special nature, provided that it complies with Article 4 of the KVKK.

• Biometric Data Under GDPR

Art. 9 of GDPR stated that “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.”

According to this provision, it is seen that biometric data are included in a separate category as “sensitive data” within special categories of personal data. 

In the 2nd paragraph, some necessary conditions are listed together with explicit consent for the processing of special categories of personal data. In the presence of these conditions, exceptionally special categories of personal data may be processed. However, member states may impose additional restrictions on these conditions by their domestic laws.

According to Recital 51; “Personal data which are, by their nature, particularly sensitive concerning fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms.” (p.1)

However, not all data with biometric content are regarded as biometric data. According to the second paragraph “The processing of photographs should not systematically be considered to be the processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person.”

• Systems Used in The Processing of Biometric Data

According to WP80, biometric systems are defined as “applications that can automatically identify and / or authenticate a person using biometric technologies.” Besides these, biometric systems can also be used for classification or segregation purposes.

• Consent and Exceptions in terms of GDPR

The processing of biometric data is subject to the conditions set out in Article 9 of the GDPR “Conditions for Processing Special Categories of Data”.

According to GDPR Art.9 / 2- a, biometric data may be processed primarily if the data owner has consented. The data owner of the consent must be enlightened for one or more specified purposes and expressly consent to the processing of the personal data in question.

Legitimate cases that can be committed without express consent are regulated in paragraph b- j of Article 9. Among these exceptional cases, some reasons such as preventive medicine, the authority of competent courts, and publicization are counted.

• General Principles of Biometric Data Processing

As it is defined in the Recital 51 paragraph 5: “Such personal data should not be processed, unless the processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing.”

“Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.”

• Obligation to Provide Information according to GDPR and the Principle of Limitation by Purpose

In the processing of biometric data, it must also comply with general personal data processing requirements. GDPR Art.5 For the processing of personal data collected according to subparagraph 1-b, it must be limited to the legal purpose for which the consent of the person concerned is determined. This principle is called “limitation to purpose“. At the same time, the data collected to be used in data processing within the lawful purpose should be carried out with data that are suitable enough to achieve the legitimate purpose.

According to the opinion of Article 29 No 3/2012 Working Group, Biometric data may be collected to ensure or increase the security of processing systems by applying appropriate measures to protect personal data against unauthorized access.

In the opinion of the Committee of Ministers dated 15 May 2006; The conditions to have complied within the event that biological materials that allow the identification of the relevant persons directly or by using a code are collected, stored and used for research purposes are regulated. It is stated that the scope of the consent obtained should be specific to the use of the data in the research as much as possible.

As an example of practice for the determination of the necessity of biometric data processing; according to the French Data Protection Authority CNIL, two methods can be used:

• Justifying the existence of a specific context requiring a high level of protection (weapon manufacturing, etc.) or
• Demonstrate the inadequacy of less intrusive tools such as ID cards or access codes (For example, an environment where strong identification is required to prevent identity theft in case of identity theft or ‘compromise of access codes)

• Data Minimization

A particular challenge may arise, as biometric data often contain more information than is required for the matching functions, in the opinion of the Working Group on Article 29 No 3/2012. It means that all available information should not be processed, transmitted or stored. The controller should make sure that the default configuration supports it without having to enforce data protection.

• Period of Processing 

According to the opinion of Article 29 Working Group No: 3/2012; It should set a retention period for biometric data, which should not be longer than required for the purposes for which the data was collected or later processed. It must ensure that data or profiles derived from such data are permanently deleted after this justified period.

• Proportionality

According to the opinion of Article 29 No 3/2012 Working Group To ensure the proportionality principle, the following four criteria should be considered when analyzing the proportionality of the biometric system:

1. It should be taken into consideration whether the biometric system is necessary to meet the need identified by the data controller, i.e. to meet this need rather than to be the most appropriate or cost-effective.
2. A second factor to consider is whether the biometric technology planned to be used will be effective in meeting the needs of the data controller, taking into account certain features.
3. It should be examined whether the biometric technology planned to be used will be effective in meeting the needs of the data controller, taking into account certain features.

To give an example from the application; On January 26, 2021, the Dutch Data Protection Authority warned a supermarket wanting to install a face recognition system on this subject. In the concrete case, the system’s working principle is to analyze the faces of the people when they enter the market and to destroy them within a few seconds if they do not match with the registered criminals. According to GDPR; to process biometric data, it is only possible to use a face recognition system either to have the consent of the persons or to the extent required by the public interest. According to the decision, neither processing conditions were fulfilled in the concrete case; or the explicit consent of individuals is not obtained, and the security of the market is far from proportionate to the ability to process biometric data under Dutch Data Protection Law.

1. The fourth method of assessing the adequacy of a biometric system is whether a less intrusive tool for privacy will achieve the desired result.

For example, in the ministry’s opinion, it examined the establishment of a central biometric system in a health and fitness club based on fingerprint collection to provide access to gym facilities and related services only to paying customers. To operate such a system, fingerprints of all customers and staff must be kept. The biometric implementation here seems disproportionate in terms of the need to control access to the club and facilitate the management of subscriptions. The biometric implementation here seems disproportionate in terms of the need to control access to the club and facilitate the management of subscriptions. Other measures such as a simple checklist that do not require the processing of biometric data or the use of RFID tags or a swipe card can easily be considered equally applicable and effective.

• Accuracy

Article 29 No 3/2012 to the opinion of the Working Group Biometric data must be accurate and proportionate to the purpose for which it was collected. Data must be accurate at the time of registration and when linking the biometric data. Accuracy during registration is also relevant to the prevention of identity fraud. Biometric data is unique and creates a unique template or image.

• Transparency and Data Controller’s Obligation to Inform 

According to article 5 subparagraph 1 / a of GDPR, data subjects should be aware of their biometric data collection and/or use. Therefore, as the controller of a biometric system is obliged to inform the data subject, biometrics should not be obtained from someone without their knowledge.

As an example from the application; according to the French Data Protection Authority CNIL, when it comes to the working relationship between the employer and the employee, biometric data processing based on legal reasons required by legal obligations rather than the explicit consent of the employee should be a preference for data controllers.

In the opinion of the Danish Data Protection Authority as another application example for in practice; Following the statement of Article 9 (1) of the Danish Data Protection Regulation, biometric data, including information on fingerprints, is considered a special category of information only when action is taken to uniquely identify a natural person. In the DPA’s view, a distinction should therefore be made between whether the processing is to clearly identify a natural person or whether the processing is for other purposes. For example; Like using face recognition for the authentication system.

• Biometric Data According to the Turkish Personal Data Protection Law No. 6698 (“KVKK”)

Although biometric data is included among special quality personal data in Article 6 of the Law on the Protection of Personal Data (“KVKK”), there is not a separate biometric data definition is included. However, in the Decision of the Personal Data Protection Board dated 25/03/2019 and numbered 2019/81 and the Decree dated 31/05/2019 and numbered 2019/165, Reference is made to the definition of biometric data made in the European General Data Protection Regulation (GDPR). According to this definition; It is defined as “personal data resulting from specific technical processing concerning physical, physiological or behavioral characteristics of a real person such as facial images or dactyloscopic data that enable or confirm the specific identification of a natural person” and its definition appears to be taken into account in the board evaluations.

In addition, in the same decision, referring to GDPR Recital 51, for data to be evaluated within the scope of biometric data, it is necessary to take the criterion for that data to have the ability to identify or verify only that person.

Biometric data is divided into two different categories as behavioral and physical as in the GDPR, according to the Decision Summary of the Personal Data Protection Board dated 27.08.2020 and numbered 2020/649 regarding the request for an opinion on the use of biometric signature data: “It is data that is obtained effortlessly without any intervention and generally remains unchanged for a lifetime, it is not possible to change or forget these data; because the individual bears his own characteristics. Physiological biometric data are data that contain unique features of the human body. In this context, personal data such as iris, retina, fingerprints, face, palm, veins constitute physiological biometric data. On the other hand, behavioral biometric data are related to dynamic characteristics that can change according to time, mood, age and similar factors. For example, data such as the way people walk, the way they press the keyboard, the pressure and the type of pressing they apply while using smart devices, and the driving style, generate behavioral biometric data.”

• Processing of Biometric Data under KVKK

When biometric data is processed in ways that have the ability to uniquely identify a person, it is in the category of biometric data and its processing shall be subject to the processing of special categories data. Therefore, together with the general principles in Article 4 of the Law, it is necessary to act in accordance with the rules of “Processing conditions of special personal data” in Article 6.

• General Principles for Processing Biometric Data

According to KVKK Art.4 The following principles shall comply within the processing of personal data:

1. 1. Lawfulness and fairness
   2. Being accurate and kept up to date where necessary
   3. Being processed for specified, explicit and legitimate purposes
   4. Being relevant, limited and proportionate to the purposes for which they are processed.
   5. Being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed.

According to the decision of the Personal Data Protection Board dated 25/03/2019 and numbered 2019/81 and the decision dated 31/05/2019 and numbered 2019/165, biometric data processing can be compliant with the general principles depending on the following rules:

1. The processed data must be suitable for the realization of the specified purposes and must be limited for this purpose. It is foreseen that the processing of personal data that is not related to the realization of the purpose or is not needed should be avoided, and data processing cannot be used to meet the needs that may arise later.
2. According to the principle of proportionality, it is emphasized that a reasonable balance must be established between the data processing activity and the intended purpose, in other words, that the data processing is sufficient to achieve the purpose, in this context, personal data that are not required for the realization of the personal data processing activity should not be collected and / or processed.
3. Data minimization, within the framework of the purpose of the data controller, in accordance with the principle of proportionality, it is required to request a minimum level of information from the data subject, and to avoid data processing that is not necessary for other purposes. Even in cases where the processing of personal data is carried out with the consent of the person concerned and depends on a specific purpose, explicit consent does not justify the collection of excessive amounts of data. For this reason, personal data shall be collected only for specific purposes and as required, used where the purpose requires, and not kept for longer than necessary for the purpose.

In the Public Announcement of the Personal Data Protection Authority on Distance Education Platforms dated 07.04.2020; “In distance education platforms, it is seen that personal data such as names and surnames of students and some special personal data that can be evaluated within the scope of biometric data such as voice and image are processed.” For the administrative and technical measures to be taken to process this data, reference has been made to the KVKK Guide.

• Explicit Consent

According to article 6 of KVKK; It is forbidden to process sensitive personal data without the express consent of the person concerned, except for the exceptions stipulated in paragraph 3. Personal data other than health and sexual life listed in the first paragraph may be processed without the explicit consent of the person concerned, in cases stipulated by the law. Personal data relating to health and sexual life, on the other hand, can only be collected by persons under the obligation of confidentiality or authorized institutions and organizations to protect public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing can be processed without seeking the explicit consent of the person concerned.

However, the fact that it is determined by law for reasons based on Article 3 does not mean that biometric data are processed as desired. The condition of compliance with the general principles must be ensured even in cases that do not require explicit consent.

• Conditions for Biometric Data Processing Stipulating Biometric Data Processing in Laws

• Regulation on Republic of Turkey Identity Card 

There is a situation that requires the processing of biometric data in article 13-ç of the Turkish Republic Identity Card Regulation titled “Obtaining, comparing and recording biometric data”:

• The procedures and principles regarding the collection, processing, and comparison of biometric data are determined by the Ministry. In the ID card application, procedures and principles determined by the Ministry are processed.
• If the biometric data of the person applying for the ID card is verified, the biometric data will not be taken again.
• If there is a situation that prevents the receipt of biometric data from individuals or is documented, biometric data acquisition is not performed and this issue is recorded.
• If individuals or donors who are found to have a composite tissue or hand transplant have a biometric data record before, biometric data of the transplanted persons are taken after the tissue transplant operation and their records in the central database are updated and an explanation is made.

• Biometric Data on Social Insurance and General Health Insurance Law No.5510 and Health Implementation Communiqué

In the decision of the Council of State’s 15th Department no 2014/4562, An appeal was filed with the Constitutional Court by the decision to suspend the execution of the “Health Implementation Communiqué” and Article 67 of the Social Insurance and General Health Insurance Law No.5510, which is the legal basis of subject communiqué, on the grounds that the phrase “identity verification with biometric methods” is disproportionate. It has been shown that the scope of biometric data processing or the procedures and principles regarding the collection and storage of biometric data and the boundaries have not been drawn, which is contrary to Articles 2, 13 and 20 of the Constitution. The Constitutional Court rejected this application with the majority of votes, finding it appropriate to process biometric data to prevent abuse of rights in practice.  However, the biometric data expressions contained in this article were repealed later, with the article 42 of the law numbered 5754 and the acceptance date 17/4/2008.

• Biometric Data onNotice on the Management and Supervision of Information Systems of Payment Institutions and Electronic Money Institutions

Another regulation “Notice on the Management and Supervision of Information Systems of Payment Institutions and Electronic Money Institutions” 

In case of access to sensitive payment data for identity verification systems in article 9 of the communiqué; Data carrying biometric characteristics that can be used for identity verification systems are mentioned:

“In cases where access to sensitive payment data is provided and in cases where the transactions are carried out electronically in cases where the identification is mandatory within the scope of the obligations regarding the Law on Prevention of Laundering Proceeds of Crime No.5549 dated 11/10/2006 and non-low value payment transactions according to Article 58 of the Regulation; An authentication mechanism consisting of at least two independent components is used. These two components; it is chosen to belong to two different classes of elements that the person “knows”, “has” or “has a biometric characteristic”. Component independence means that seizing one component does not compromise the security of the other. It is essential that the components are capable of protecting the confidentiality of the authentication information and are specific to the user, that at least one of the components is single-use, except when a biometric component is used, and the shortest validity period required for this disposable component is determined.”

According to this article, payment institutions may offer their users who want to access sensitive payment data the option of an identification system that processes biometric data for identity verification.

Conclusion

• Biometric data is personal data resulting from specific technical processing concerning the physical, physiological and behavioral characteristics of an individual, such as facial images or dactiloscopic data, that enable or confirm the specific identification of a natural person.
• Biometric data identify people permanently and at a very close rate. Moreover, this detection includes audio and video recording, etc. When the methods are used for the first time, they even make it possible to recognize the person remotely. For this reason, they are protected more carefully and tightly than any personal data with various regulations.
• However, not every piece of data with biometric content is processed as biometric data. Because these are only covered by the definition of biometric data when processed in a specific technical way that allows a natural person to be uniquely identified or authenticated.
• According to the GDPR;
  • The data recorded and processed biometrically can only be processed with express consent or for a legal obligation or the performance of a task carried out in the public interest or in the exercise of the official authority given to the controller.
  • The consent or the presence of a legal basis does not provide one hundred percent freedom to process biometric data. It is compulsory to comply with the principles of limitation, necessity, data minimization, proportionality, accuracy, determination of processing time, transparency and clarity with the purpose stipulated in the laws.
• According to the Personal Data Protection Law No.6698, biometric data are considered personal data of special nature. Therefore
  • Based on the conditions of processing special data in Article 6 of the Law and the existence of explicit consent,
  • Following the general principles in Article 4, they should be processed by taking administrative and technical measures to be followed in the processing of special quality data included in the KVKK guide.
• For biometric data processing to be proportionate, systems that interfere less with personal rights should not be sufficient, and biometric data processing should be mandatory. For example, while simpler methods such as card systems etc. are possible to keep workplace entry-exit records, it will not be possible to use a biometric recognition system.

For Turkish Version of This Article: https://www.eralp.av.tr/kvkk-ve-gdpr-acisindan-biyometrik-verilerin-islenmesi/