The Personal Data Protection Authority (“Authority”) announced that in addition to students’ personal data such as name-surname,

some special categories of data that can be considered biometric data such as voice and video-image, are processed through remote learning platforms. Furthermore, the Authority has stated that much software used by remote learning platforms operates through cloud-based service providers. Data centers of these software are mostly located abroad. In this context, the Authority has stated that:

  • Data processing through remote learning platforms should comply with the personal data processing conditions stipulated under article 5 and 6 of Law on the Protection of Personal Data numbered 6698 (“DP Law”),
  • For remote learning platforms whose data centers located abroad, cross-border transfer of personal data comes into question. Accordingly, personal data transfers that fail to meet the cross-border data transfer conditions indicated under article 9 of DP Law shall be deemed unlawful,
  • Remote learning platforms should consider the Personal Data Protection Board’s (“Board”) “Personal Data Security Guide” and the Board decision dated 31 January 2018 and numbered 2018/10 on “The Adequate Measures to be Implemented When Processing Special Categories of Personal Data” while taking the necessary data security measures.

The full text of the Authority’s announcement dated 7 April 2020 is available at this link.