It was inquired of The Turkish Personal Data Protection Authority (“Authority”) whether processing of biometric signature data can benefit from the exception in Article 6/3 of the Turkish Data Protection Law no. 6698 (“DP Law”), in the face of the fact that the respective articles of 14 and 15 of Turkish Code Obligations (“TCO”) require that the contracts with written form requirement be signed by hand. This exception states that personal data, save for the data on health and sexual life, can be processed without explicit consent if it is required by the laws.
In their decision dated August 27, 2020, the Authority firstly assessed what is defined as biometric data. Accordingly, biometric data is a type of data that remain unchanged or unforgotten for a lifetime because the data subjects carry these data with themselves. The biometric data are separated into two specific groups: physiological biometric data and behavioural biometric data. While the former includes iris, retina, fingerprint, the latter includes personality traits depending on time, mood, or age, e.g., manner of walking.
The biometric signature is obtained by data subject’s use of their biometric data on a tablet or pad and therefore integrating the data in an irreversible way, which makes it very different from simple wet-ink signatures by hand. The requirement set forth by the Articles 14 and 15 of the TCO only covers the wet-ink signatures by hand or secured electronic signature. Though the legal consequences of the wet-ink signatures and secured electronic signature are same, the approach of the lawmaker towards these two types of signatures has not been the same, as the regulations thereof are quite distinctive. Therefore, interpreting the Article 14 and 15 of the TCO in a manner to include the biometric signature as well would be a wide and disproportionate interpretation of the exemption set forth by the Article 6/3 of the DP Law. With these reasons, the Authority announces that:
- Biometric signature is biometric personal data.
- To process biometric personal data, the exemption stated in the Article 6/3 of the DP Law, or the explicit consent of the subject is required.
- The requirement set by the Articles 14 and 15 of the TCO does not meet the criteria for the exemption of “requirement by law” as stated in the Article 6/3 of the DP Law.
Author: Mustafa Ç. AKBAŞ