Bezen & Partners | News

Legal Briefing - Recent Board Decisions on the Processing of Special Category Personal Data




 












Recent Board Decisions on the Processing of Special Category Personal Data




Summaries of the Personal Data Protection Board’s (the “Board”) decisions on various matters have been published on the Personal Data Protection Authority’s (the “Authority”) website on 11 February 2021. The Board’s decision numbered 2020/667 concerning the processing of health data and decision numbered 2020/915 concerning the processing of biometric data serve as important precedents for the implementation of principles concerning the processing of special category personal data.













Key Issues




  • Data subject’s explicit consent must be obtained for processing health data for health insurance purposes.

  • Processing biometric data by breaching the proportionality principle and without obtaining the data subject’s consent violates the legislation.




Introduction

 



Processing special category personal data without obtaining the data subject's explicit consent is prohibited as a matter of principle under the Personal Data Protection Law numbered 6698 (the "PDPL")[1] unless such processing activity falls within the scope of the exceptions set out in the PDPL. Accordingly, the Board's decision numbered 2020/677[2] points to the necessity for an insurance company to request explicit consent from the person to whom it provides health insurance services and in relation to whom it carries out the processing of health data. Further, the decision numbered 2020/915[3] determines the approach of the Board concerning the supervision of public officers' times of entrance of and departure from work premises by processing their biometric data (by way of fingerprint scanning).



Decision Numbered 2020/667 Concerning the Necessity of an Insurance Company to Obtain Explicit Consent



The data subject applied to an insurance company to renew the health insurance policy covering his/her family and was met with the data controller's request for explicit consent to proceed with the renewal process. The data subject filed a complaint to the Authority on the grounds that the insurance company's explicit consent request constitutes a breach of the PDPL and the renewal should be performed without obtaining such data subject's explicit consent.



The Board decided that processing of health data which is the subject matter of the health insurance policy and classified as "special category personal data" for the renewal of the relevant policy does not constitute an exception to obtaining explicit consent under Art. 6/3 of the PDPL.



Accordingly, the ambiguity as to whether it is required to obtain explicit consent for processing health data within the scope of insurance transactions was clarified. According to this decision, insurance companies are now obliged to obtain data subjects' explicit consents in this regard.



Decision Numbered 2020/915 Concerning the Usage of Employees' Biometric Data



The timing of entrance of and departure from work premises of the data subject, who is a civil servant employed pursuant to the Civil Servants' Act No. 657[4], is tracked by the employer – i.e. data controller - through fingerprint readers. The data subject applied to the data controller asserting that each personnel's fingerprint data is taken and registered in the data controller's system and requesting the deletion of such fingerprint data from the system. The data subject then applied to the Board claiming that its request was not honoured by the data controller.



The data controller defended itself by stating that (i) the relevant application could not be evaluated within the scope of the PDPL as the data subject failed to deliver the application to the correct department; (ii) fingerprint tracking was used for effective and efficient use of public resources; (iii) the personnel's fingerprint data was not shared with any third person; (iv) the encrypted fingerprint data was saved with a special algorithm and third parties were restricted from accessing such data; and (v) the fingerprint data were used solely for tracking working hours.



The Board's evaluation on this issue was as follows:




  • "Fingerprint" is classified as a biometric data under the GDPR[5] and in the decisions of the Council of State[6]. Obtaining the fingerprint for the personnel's entrance of and departure from work premises constitutes a "special category personal data processing activity";

  • Pursuant to Article 4/2 of the PDPL entitled "General Principles", the collected personal data must be relevant, limited and proportionate to the purpose of processing;

  • Usage of fingerprint scanning, which is usually necessary when extraordinary security measures are required, for the sole purpose of controlling working hours violates the principle of proportionality, considering that the same control could be carried out by alternative means;

  • Biometric data, which is classified as "special category personal data", can only be processed after obtaining the data subject’s explicit consent for such purpose. However, in this case, the data subject's explicit consent has not been obtained;

  • The data controller violated Article 12 of the PDPL which regulates the security of personal data as it processed personal data unlawfully; and

  • The data controller violated the principle of good faith due to its failure to reply to the data subject’s application in respect of his/her rights under Article 11 of the PDPL.



Accordingly, the Board decided that the data controller must: (i) carry out disciplinary proceedings vis-à-vis its personnel who carried out these data processing activities and inform the Board of the results; (ii) immediately destroy the biometric data and, in case such biometric data has been transferred to third parties, request such third parties to destroy the relevant data; (iii) submit to the Board evidence proving the destruction of such data and that the current system for collecting such data has been removed; and (iv) inform the data subject of the implementation of these measures.



The Board highlighted that employers must avoid all activities and systems that require biometric data processing unless extraordinary security measures are indispensable. In light of this decision, employers, who already control or contemplate controlling the entrances and exits and the working hours of employees through the processing of biometric data, must first evaluate the requirement to implement extraordinary security measures and if deemed indispensable, obtain the explicit consent of their employees in this regard.



 



 



 




 



Key contacts



For more information, please contact us:

















 



Murat Soylu



Partner



+90 (212) 366 6802



[email protected]



 



Zekican Samlı



Senior Associate



+90 (212) 366 6817



[email protected]



 



Berfu Öztoprak



Associate



+90 (212) 366 6824



[email protected]



 



Mustafa Karadaş



Intern



+90 (212) 366 6828



[email protected]



 



 




 



 



[1] Published in the Official Gazette dated 7 April 2016 and numbered 29677





[2] Decision dated 3 September 2020





[3] Decision dated 1 December 2020





[4] Published in the Official Gazette dated 23 July 1965 and numbered 12056





[5] General Data Protection Regulation numbered 2016/679





[6] Decision of the 5th Chamber of the Council of State with the file number 2013/5342 and decision number 2013/9525




TOP