Processing special category personal data without obtaining the data subject's explicit consent is prohibited as a matter of principle under the Personal Data Protection Law numbered 6698 (the "PDPL")[1] unless such processing activity falls within the scope of the exceptions set out in the PDPL. Accordingly, the Board's decision numbered 2020/677[2] points to the necessity for an insurance company to request explicit consent from the person to whom it provides health insurance services and in relation to whom it carries out the processing of health data. Further, the decision numbered 2020/915[3] determines the approach of the Board concerning the supervision of public officers' times of entrance of and departure from work premises by processing their biometric data (by way of fingerprint scanning).

Decision Numbered 2020/667 Concerning the Necessity of an Insurance Company to Obtain Explicit Consent

The data subject applied to an insurance company to renew the health insurance policy covering his/her family and was met with the data controller's request for explicit consent to proceed with the renewal process. The data subject filed a complaint to the Authority on the grounds that the insurance company's explicit consent request constitutes a breach of the PDPL and the renewal should be performed without obtaining such data subject's explicit consent.

The Board decided that processing of health data which is the subject matter of the health insurance policy and classified as "special category personal data" for the renewal of the relevant policy does not constitute an exception to obtaining explicit consent under Art. 6/3 of the PDPL.

Accordingly, the ambiguity as to whether it is required to obtain explicit consent for processing health data within the scope of insurance transactions was clarified. According to this decision, insurance companies are now obliged to obtain data subjects' explicit consents in this regard.

Decision Numbered 2020/915 Concerning the Usage of Employees' Biometric Data

The timing of entrance of and departure from work premises of the data subject, who is a civil servant employed pursuant to the Civil Servants' Act No. 657[4], is tracked by the employer – i.e. data controller - through fingerprint readers. The data subject applied to the data controller asserting that each personnel's fingerprint data is taken and registered in the data controller's system and requesting the deletion of such fingerprint data from the system. The data subject then applied to the Board claiming that its request was not honoured by the data controller.

The data controller defended itself by stating that (i) the relevant application could not be evaluated within the scope of the PDPL as the data subject failed to deliver the application to the correct department; (ii) fingerprint tracking was used for effective and efficient use of public resources; (iii) the personnel's fingerprint data was not shared with any third person; (iv) the encrypted fingerprint data was saved with a special algorithm and third parties were restricted from accessing such data; and (v) the fingerprint data were used solely for tracking working hours.

The Board's evaluation on this issue was as follows:

• "Fingerprint" is classified as a biometric data under the GDPR[5] and in the decisions of the Council of State[6]. Obtaining the fingerprint for the personnel's entrance of and departure from work premises constitutes a "special category personal data processing activity";


• Pursuant to Article 4/2 of the PDPL entitled "General Principles", the collected personal data must be relevant, limited and proportionate to the purpose of processing;


• Usage of fingerprint scanning, which is usually necessary when extraordinary security measures are required, for the sole purpose of controlling working hours violates the principle of proportionality, considering that the same control could be carried out by alternative means;


• Biometric data, which is classified as "special category personal data", can only be processed after obtaining the data subject’s explicit consent for such purpose. However, in this case, the data subject's explicit consent has not been obtained;


• The data controller violated Article 12 of the PDPL which regulates the security of personal data as it processed personal data unlawfully; and


• The data controller violated the principle of good faith due to its failure to reply to the data subject’s application in respect of his/her rights under Article 11 of the PDPL.

Accordingly, the Board decided that the data controller must: (i) carry out disciplinary proceedings vis-à-vis its personnel who carried out these data processing activities and inform the Board of the results; (ii) immediately destroy the biometric data and, in case such biometric data has been transferred to third parties, request such third parties to destroy the relevant data; (iii) submit to the Board evidence proving the destruction of such data and that the current system for collecting such data has been removed; and (iv) inform the data subject of the implementation of these measures.

The Board highlighted that employers must avoid all activities and systems that require biometric data processing unless extraordinary security measures are indispensable. In light of this decision, employers, who already control or contemplate controlling the entrances and exits and the working hours of employees through the processing of biometric data, must first evaluate the requirement to implement extraordinary security measures and if deemed indispensable, obtain the explicit consent of their employees in this regard.