On 16 September 2021, the Personal Data Protection Authority published certain guidelines on the processing of biometric data by data controllers (the “Guidelines”).

The Guidelines consider biometric data generally as personal data the processing of which may reasonably result in the revealing of a data subject’s distinctive physical, behavioral, or psychological traits, which then can be used to identify the data subject; and include two biometric data subcategories, viz., physiological (e.g., fingerprint, retina blood vessel pattern, iris pattern, voice), and behavioral (e.g., gait, keystroke rhythm, swipe/scroll patterns).

Notably, the Guidelines provide, among other things, that:

  1. Biometric data may be processed by a data controller in accordance with articles 4 and 6 of Data Protection Law numbered 6698 (the “DP Law”), provided that:
  • processing does not compromise any fundamental right or freedom.
  • processing methodology is tailored to processing purpose
  • processing purpose necessitates processing.
  • There must be a proportionality between the purpose to be achieved by data processing and the mean of process
  • data is retained until processing purpose is achieved, and then destroyed without undue delay
  • Data subjects are given adequate notice of processing in accordance with article 10 of the DP Law.
  • Express consent required by the DP Law is obtained in accordance therewith.
  1. Data controllers should keep detailed compliance and methodological records.
  2. Unless necessary to the processing purpose, data controllers should refrain from processing bodily fluids or tissue which may contain genetic material.
  3. In the selection of the type or types of biometrics (iris, fingerprint, vascular network of the hand, etc.), justifications and documentation should be provided as to why the preferred type or types of biometric data were chosen over others.
  4. In accordance with the principle of keeping for the period required for the purpose for which they are processed or stipulated in the KVKK, the maximum period for the processing of personal data should be determined.

The Guide also includes technical and administrative measures to be taken regarding biometric data security.

The complete text of the Guidelines is available at this link. (Only available in Turkish)