Because of the need for greater protection of personal data of special nature due to their nature, explicit consent obtained from the data owner regarding the processing of this data may not always be sufficient. In the decisions of the Personal Data Protection Authority (“Authority”), it is observed that, explicit consent alone obtained from the data holder is not sufficient for the processing of the biometric data by private law real person/legal entities that are not authorized directly with the relevant legislation, by evaluating the authenticity of the explicit consent obtained from the data holder and the legitimate interest of the Data Controller together. The method of processing biometric data is being abandoned day by day in light of the Authority’s related criminal sanctions and alternative methods are being preferred by private law real and legal persons for the benefit that is intended to be obtained through the processing of such data.
In accordance with the Law No. 6698 on the Protection of Personal Data (“Law”), personal data is divided into two categories as “general qualified personal data” and “personal data of special nature” and due to their nature, personal data of special nature needs more protection compare to general qualified personal data. Act In the paragraph of the Article 6., “Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data” are specified as personal data of special nature and it is stated that the processing of the data of this nature, except in the cases mentioned in the third paragraph of the same article, shall be legitimate by obtaining explicit consent from the data holder in addition to the appropriate clarification. In the third paragraph, it is stated that any person or authorized public institutions and organizations that have confidentiality obligation, can process personal data of special nature under certain conditions without seeking explicit consent of the data holder. However, it is clear that private legal entities and real persons who are out of the scope of the exception brought by the Law should be more careful about the compatibility in such data processing actions.
Other than the cases and persons mentioned in the third paragraph of the relevant article, the persons, institutions and organizations should inform the data holder about processing and obtain explicit consent before processing personal data of special nature. However, at this point, the disclosure and explicit consent of the data holder alone will not legitimize the processing of personal data of special nature. The general principles prevailing in the law must also be taken into consideration by the Data Controller in the data processing process.
It is stated by the Authority that the principle of proportionality / limitation means that the processed data is suitable for the achievement of the specified objectives, and the avoidance of the processing of personal data which is not related to the achievement of the purpose or that is not needed. Establishing a reasonable balance between the data processing activity and the intended purpose is the first case to be considered in processing the data of special nature. In other words, it should be understood that explicit consent from the person will not ensure compliance with the law if the data of special nature requested from the data holder is not related to nature of the work or the service provided. In the audits, in addition to the principle of proportionality and limitation, the Authority questions the validity of the explicit consent given by the person according to the concrete case, and evaluates the conditions under which the explicit consent is given and whether the data officer is really in the interest of processing such special data.
In legal relations where the parties are not equal, due to social, economic or psychological pressures, the will of the data holder may defect and the issue of invalidity of the explicit consent may come up. At this point, the Authority is not contented with the existence of explicit consent for the processing of private data of special nature but examines the authenticity of this declaration by considering the nature of the relationship between the parties. For example, in the employee-employer relationship, it would be difficult to mention that the worker has the right to refuse the processing of his or her personal data. While explicit consent is not sought for data of special nature that can be processed by the Data Controller based on the law (for example, some data of special nature which must be found in the personal file), in the
processing sensitive personal data whose processing cannot be based on the law, it is examined that if the explicit consent authentic or not and whether there is a reasonable balance between act of processing and intended purpose.
In particular, in the processing of biometric data, which is in the category of private data of special nature, the legitimate interest of the Data Controller is questioned even more comprehensively by the Authority. Unique physiological features that directly characterize the person, such as fingerprint, retinal information, DNA, plexus, voice, etc. can be given as examples of biometric data. The right to the processing of such sensitive data, with some exceptions, is granted only to authorized institutions and organizations.
As a matter of fact, the Authority is even more cautious about the processing of biometric data by private law real person/legal entities that are not directly authorized with the relevant legislation and even if explicit consent is given by the data owner, the Authority may think that the Data Controller violates the principle of proportionality and limitation in the processing of highly sensitive data such as biometric data.
Parallel to what we tell, it is observed that the Authority considers the use of the Personnel Audit Control System (“PACS”), that requires fingerprinting for entry and exit to workplaces, by private law real person/legal entities as a violation, even though explicit consent has been obtained from those concerned. In addition to the evaluation of whether the explicit consent given is based on free will, the institution states in its relevant decisions that highly personal data such as fingerprint, retinal information, DNA, voice cannot be used by private law real person/legal entities that are not directly authorized by law and the benefit to be obtained through the processing of biometric data is a matter that must be resolved by the Data Controller by developing alternative methods.
Day by day, in the light of the Authority’s criminal sanctions, it is known that institutions and organizations that process sensitive biometric data such as fingerprint and retinal information have abandoned this orientation and they started to prefer alternative ways in this respect.