EVALUATION OF BIOMETRIC DATA PROCESSING IN PERSONNEL ENTRY-EXIT FOLLOW-UPS WITHIN THE SCOPE OF PROTECTION OF PERSONAL DATA
1.General Explanations
Processing of personal data is defined in Article 3 of the Personal Data Protection Law No. 6698 (“KVKK” or “Law”). Accordingly; all kinds of operations performed on personal data, such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that they are part of any data recording system, are accepted as the processing of personal data. The conditions for processing personal data are listed in Article 5 of the Law and it is possible to process personal data in the presence of at least one of the following conditions
Existence of explicit consent of the data subject,
Explicitly stipulated in the laws,
It is necessary for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid,
It is necessary to process personal data belonging to the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
It is mandatory for the data controller to fulfil its legal obligation,
It has been publicised by the person concerned,
Data processing is mandatory for the establishment, exercise or protection of a right,
Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
The conditions for processing personal data, i.e. the cases of lawfulness, are determined by enumeration in the Law, and it is also understood that these conditions cannot be expanded.
In the realisation of the data processing activity by the data controller within the scope of the existence of the explicit consent of the data subject, it should first be evaluated whether it is possible to rely on one of the other data processing conditions. If it is not possible to rely on the processing conditions stated in paragraph 5/2 of the Law, which can be seen as exceptions to explicit consent, it is important to obtain the explicit consent of the data subject.
In this context, there are three elements that should be considered in order for the explicit consent requested from the data subject to have a lawful character:
Explicit consent must be related to a specific subject,
The person has been informed about the requested consent,
The person concerned has given explicit consent based on his/her free will.
2.Nature of Biometric Data and Matters to be Considered in Processing
In Article 6 of the Law titled “Conditions for processing special categories of personal data”, data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership to associations, foundations or trade unions, health, sexual life, criminal conviction and security measures, and biometric and genetic data are defined as special categories of personal data.
Although the definition of biometric data, which is among the special categories of personal data, is not included in the Law, the European General Data Protection Regulation (General Data Protection Regulation, “GDPR”), which entered into force on 25 May 2018, defines biometric data as “personal data resulting from specific technical processing relating to physical, physiological or behavioural characteristics, such as facial images or dactyloscopic1 data, which enable or confirm the unique identification of a natural person”.
Based on these explanations, it can be said that a personal data should have some qualifications in order to be considered as biometric data. Namely
The distinctive characteristics of the person, such as physiological, physical or behavioural characteristics, arise as a result of the data processing activity,
The characteristics revealed are personal data that serve to identify the identity of the person or verify the identity of the person
It is seen that Article 51 of the Recital (“Article Reasons”) section of the GDPR includes explanations on biometric data and it is explained that the processing of photographs cannot be directly qualified as biometric data, and that these data will be accepted within the scope of the definition of biometric data only when processed by a specific technical method that allows a natural person to be uniquely identified or verified, therefore, in order for a data to be considered within the scope of biometric data, it is considered that it is sufficient for that data to have the ability to identify or verify only that person.
Similarly, in the decision of the 15th Chamber of the Council of State numbered 2014/4562, it is stated that biometric methods refer to identity control techniques that are performed through measurable physiological and individual characteristics and can be automatically verified, and that these methods include methods such as fingerprint recognition, palm scanning, hand geometry recognition, iris recognition, face recognition, retina recognition, DNA recognition.
In this context, it is fixed by the practice of the Personal Data Protection Authority and the relevant legislation that the data controllers are engaged in biometric data processing activities in order to collect data such as fingerprints, facial recognition, palm reading through Personnel Attendance Control Systems (“PDKS”) and similar systems during the entrance to the workplaces and to verify the identity of the persons and to ensure their entry-exit follow-up.
The Personal Data Protection Authority (“Authority”), which primarily refers to the General Principles in Article 4 of the Law in the processing of biometric data, particularly underlines the principle of proportionality. However, it would be appropriate to mention the assessments made in the Constitutional Court’s Decision2 numbered 2016/125 and 2017/143 in the cancellation case filed by the members of the Grand National Assembly of Turkey before the Constitutional Court (“Constitutional Court”) regarding the cancellation of certain phrases and articles in the LPPD. In this context, in the processing of biometric data:
Within the scope of the right to request the protection of one’s personal data, which is a fundamental right and freedom regulated in the Constitution; biometric data processing activity should also be subject to basic guarantees in terms of fundamental rights and freedoms regulated in the Constitution and the principle of proportionality should be observed,
The biometric data processing activity of the data controller and the purpose it intends to achieve with this activity are compatible with each other; in other words, “the method/rule introduced is suitable for the purpose to be achieved”,
The biometric data processing activity is necessary for the purpose that the data controller wants to achieve; as emphasised in the aforementioned decision of the Constitutional Court, if there is more than one tool that allows the same purpose to be achieved, the least intrusive method/tool should be selected among the relevant methods,
The proportionality between the processing of the data and the purpose to be achieved,
Preservation of the data to be processed for the period required for the preservation of the data to be processed and the operation of the destruction processes after the disappearance of this necessity,
Fulfilment of the disclosure obligation of the data controller in accordance with the Law, based on the necessity of disclosure on a process basis,
If it is necessary to proceed with explicit consent, it is important to carry out an explicit consent process in accordance with the Law, in which the person concerned is informed of the subject matter and the consequences of the consent to be given within the scope of the subject matter.
In the light of all these explanations, even in the scenario where all kinds of measures are taken and necessary procedures are carried out, it can be said that the processing of biometric data is neither necessary nor proportionate if the same or better result can be achieved with an intervention that is less restrictive to fundamental rights and freedoms.
In Article 4 of the Law titled “General Principles”, after stipulating that personal data can only be processed in accordance with the procedures and principles stipulated in the Law and other legislation, it is stated that personal data can only be processed: in accordance with the law and good faith, within the scope of specific, clear and legitimate purposes, provided that they are accurate and up-to-date when necessary, in connection with the purpose for which they are processed, limited and measured, and retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed;
Of these principles, it is emphasised that the principle of being relevant, limited and proportionate to the purpose for which they are processed requires that the processed data are suitable for the realisation of the specified purposes, that the processing of personal data that is not related to the realisation of the purpose or is not needed should be avoided, and that data processing should not be carried out to meet the needs that may arise later.
3. Evaluation of Explicit Consent and Proportionality Principle within the Scope of Biometric Data Processing Activity
The principle of proportionality means that a reasonable balance should be established between the data processing activity and the purpose to be achieved, in other words, data processing should be to the extent necessary to achieve the purpose, personal data that are not necessary for the realisation of personal data processing activity should not be collected and / or processed, and the data controller should request minimum information from the data subject in accordance with the principle of proportionality within the framework of its purpose, Even if the processing of personal data is carried out with the consent of the data subject and depends on a specific purpose, it is clear that explicit consent will not legitimise excessive data collection, personal data should be collected only for specific purposes and as much as necessary, used where required by the purpose and not kept for longer than necessary for the purpose.
In accordance with the issues explained above, it will not be difficult to conclude that the explicit consent given/to be given by the data subject to the processing of his/her personal data of biometric nature cannot be accepted/validated in accordance with the law in some cases. Although the data subject has given explicit consent, it will be important to evaluate whether there is a violation of the general principles in the processing of data, especially whether the proportionality threshold has been exceeded.
However, in addition to the decisions made by the authorities within the scope of the regulations under Turkish law, it will be useful to mention how the GDPR, which is binding on all states that are members of the European Union and within the European Economic Area (“EEA”), and in this sense is supranational in nature, has gained visibility in the processing of biometric data.
a. Evaluation of Biometric Data within the Scope of GDPR
There are many decisions of the Personal Data Protection Board (“Board”) regarding biometric data. One of the most well-known of these decisions is undoubtedly the fine imposed by the Board on a gymnasium that uses fingerprints to monitor entry and exit. In the decision,4 the request for the fingerprints of individuals for entry and exit to the gym and the processing of biometric data within this framework as a prerequisite for obtaining gym services; despite the consent of the persons concerned and the fact that the gym stated that it received this data for security purposes, was considered to be disproportionate, and the gym was faced with two separate administrative fines.
At this point, it will be possible to say that the said practice significantly interferes with the right to request the protection of personal data arising from the Constitution as well as the principle of proportionality, and therefore, it actually touches fundamental rights and freedoms. Providing data processing activities to the data subject without any other option and making explicit consent a prerequisite for service procurement will also be in violation of the “good faith rule” under Article 2 of the Turkish Civil Code, which is of great importance.5
One of the issues specifically mentioned in the decision, which will be included in future decisions as an important criterion in terms of the proportionality of biometric data processing, is that while it is possible to monitor the entrance and exit of the sports hall through alternative means, the processing of biometric data will not be incompatible with the basic principles of the Law, even with explicit consent.
In this decision, the Board referred to the practices of the Council of State and similar decisions in international law, which are closely related to the subject matter, as it will frequently mention in its subsequent decisions;
In the Decision No. 2017/816 of the Council of State, it was seen that the decision of the Administrative Court to reject the case filed with the request for the cancellation of the transaction subject to the lawsuit, which was concluded to be unlawful on the grounds that the application cannot be qualified as data recording, considering that the defendant administration switched to face scanning application in the face of the difficulty in the control and supervision of the personnel due to certain units and shift working system, and that the facial recognition system works by comparing the facial image of the personnel by converting the facial image of the personnel into numerical codes, was not in accordance with the law.
In its Decisions No. 2014/2242 and 2014/4562, the Council of State emphasised that biometric methods such as “fingerprint or face scanning system” are considered as an unlawful procedure considering that they are within the scope of the principle of “privacy of private life” even in public areas and that there is no assurance that the collected data cannot be used in any other way in the future.
Similarly, the European Court of Human Rights, in its S. and Marper v. the United Kingdom judgment of 4 December 2008, ruled that the storage of fingerprints, cell samples and DNA profiles of individuals was a disproportionate and excessive interference with the applicants’ right to privacy and could not be considered as a necessary interference in a democratic society and that the practice violated Article 8 of the European Convention on Human Rights.
On the other hand, in the example given in the document titled “Opinion 3/2012 on Developments in Biometric Technologies” numbered WP193 prepared by the Article 29 Working Party, it is stated that storing and processing the fingerprints of all customers and staff in a fitness club or gym in order to ensure that only members can enter and access the relevant services, the need to facilitate access to the club and manage subscriptions, and that instead of this practice, the same needs can be met by using different measures such as a simple checklist or the use of Radio Frequency Identification (“RFID”)6 tags or a magnetic band card that does not require the processing of biometric data.
In the Board’s Summary of Decision dated 1 December 2020 and numbered 2020/9157 , the issue of tracking the entry-exit of the data subject, who works as a civil servant in the municipality, through biometric data processing within the data controller was brought to the agenda. In the defence made by the data controller, although it was stated that the fingerprints taken from the personnel were used only for overtime controls in accordance with the attendance system, that the algorithm basically works by encrypting the characteristic data of the fingerprint and turning it into a template, and that in this context, the fingerprint, which has been turned into a template, cannot be imaged and processed in any way, in the evaluation made by the Board:
The Board has instructed the data controller to remove the relevant system about the data controller practices that are found to be contrary to the principle of proportionality in Article 4 of the Law, and to submit to the Board the certifying information and documents regarding the destruction of the data obtained together with the removal of the relevant system.
As explained in detail above, the Board takes a very clear stance against biometric data processing activities at the point of performing entry-exit controls, returns to the general principles in the Law in every decision, directs data controllers to remove the relevant applications, often not content with instructions, imposes administrative fines and ultimately emphasises how sensitive biometric data should be handled.
In the Board’s Summary of Decision dated 7 July 2022 and numbered 2022/662,8 “Processing of the ‘hand geometry’ information of the data subject by the data controller without obtaining explicit consent in order to enter the service building of an enterprise” was subject to similar evaluations. In the case, it was understood that the biometric data processing activity was carried out through the device named Biometric Hand Terminal, which allows the physical characteristics of the users / company subscribers such as hands and fingers to be measured in a three-dimensional environment.
In the decision; although it is stated by the data controller that the hand geometry information does not have a personal feature such as fingerprints and that it may be possible to be the same as another person, it is an identity control method that is performed through physiological feature and can be automatically verified, considering that the hand and fingers are analysed by scanning the hand in three dimensions from 31,000 points through the device, and that the error rate for matching with the relevant person is very low and mathematically clear and clear,
As a result, it was concluded that the data controller performed identity verification with a biometric method by extracting the hand geometry of the service subscribers and the data subject and processed sensitive personal data.
Considering that biometric data does not have a clearly defined definition of its boundaries and types, and that biometrics in this sense refers to the measurement of a living organism, it is an interesting assessment that even non-physiological behavioural information may fall within the scope of biometric data.
With all these evaluations, it was concluded that there was no legal ground for the processing of sensitive personal data and the use of biometric data-based systems in this context in order to ensure control at the entrances to the service building within the data controller, and in this context, it was concluded that the sensitive personal data of the data subject was processed without any processing conditions in Law No. 6698 and an administrative fine of 100,000 TL was imposed on the data controller.
In the same context, in the Board’s Summary of Decision dated 4 August 2022 and numbered 2022/797, the issue of “Unlawful processing of personal data by the data controller through security cameras at the workplace and by using a face recognition system at the entrance and exit of the workplace” was evaluated. In the aforementioned case, the evaluations made in the direction of whether there are reasons that will make it compulsory to prefer the method of entry-exit to work by processing biometric data;
“I accept, declare and undertake that I have read and understood the KVKK – Employee and Employee Candidate Clarification Text document, and that I explicitly consent to the collection, recording, processing, storage and transfer of my personal and sensitive personal data specified above in this ‘Explicit Consent Declaration’ without any influence and pressure. ” is not in accordance with the definition and conditions of explicit consent in Article 3/1-a of the Law, and it is underlined that an explicit consent statement related to a specific subject and not limited to that subject cannot be considered lawful,
Even if the personal data processing activity carried out by using a face recognition system at the entrance and exit of the workplace is carried out on the basis of explicit consent, these data processing activities must be carried out in accordance with the general principles regulated in Article 4 of the Law in any case, within this framework, the magnetic card system during the entry-exit of the data controller’s purposes within the framework of occupational health and safety, It is possible to prevent malicious use by alternative means such as RFID tags, entering an SMS to be sent to a mobile phone into the system, as well as warning workers not to use methods such as signing for someone else or reading a card, and preventing malicious use by determining the sanctions that can be applied when detected and informing the workers in this regard, while the facial recognition data, which is the biometric data of the employees, is processed,
It was stated that the processing of more and more intrusive personal data than necessary, which can be carried out and carried out by processing limited and less intrusive personal data that will interfere with the personal rights of the data subjects, constitutes a violation of the obligation to comply with the principle of “being connected, limited and proportionate to the purpose for which they are processed” in the processing of personal data regulated in Article 4/2-ç of the Law, and in this context, an administrative fine of 500,000 TL was imposed on the data controller.
As can be easily seen in the recent Board decisions, it would not be wrong to state that biometric data applications are among the topics of the Board that are still up-to-date.
b. Evaluation of Biometric Data under GDPR
Biometric data is considered as a special type of personal data under the GDPR. Therefore, the processing of biometric data under Article 9/2 of the GDPR is subject to certain conditions such as the explicit consent of the data subject and the necessity of data processing for public interest.
When it comes to the employer-employee relationship, due to the extent of the authority and power of the employer towards the employee, the explicit consent as a legal basis for the processing of personal data of employees is approached with a more sensitive perspective.
In a case before the Dutch Data Protection Authority (“DDPA”),10 a fine of EUR 725,000 was imposed on a company that requested the fingerprints of employees for the purpose of tracking their entry and exit from work. The DDPA concluded that the processing of biometric data for purposes such as authentication or security is not necessary for the tracking of entry-exit to and from work, and concluded that the data processing is unlawful, signing one of the highest administrative fines imposed in the Netherlands.
Referring to the principle of proportionality/ proportionality in the decision, DDPA stated that biometric data has an extra protection under the GDPR, that biometric data cannot be considered as data that can be changed like a password, and that the protection of the data of the data subjects outweighs the interest of the employer. The Dutch Data Protection Authority, which also mentioned that the explicit consent is invalid because it is possible to turn to different alternatives although the employees give explicit consent, also emphasised that it cannot be proven that the explicit consent is given with free will in the real sense, starting from the point that it is generally out of question for the employees to refrain from giving explicit consent in the employer-employee relationship and made very important evaluations.
Similarly, in a case where a gym processed the fingerprint data of its employees and customers in order to monitor entry and exit, the Lithuanian Data Protection Authority (Lithuanian Data Protection Authority, “LDPA”) imposed a fine of EUR 20,000 on the gym.11 One of the GDPR articles that formed the basis for the fine was the processing of biometric data without the valid explicit consent of the persons concerned.
The State Data Protection Inspectorate of Lithuania (The State Data Protection Inspectorate, “SDPI”) investigated a data subject application and stated that fingerprints were requested as mandatory in order to use the gym’s services and that the data was processed correctly in accordance with the Law of the Republic of Lithuania on Legal Protection of Personal Data (“Republic of Lithuania Law on Legal Protection of Personal Data”), but that a possible violation of the GDPR could be faced.
SDPI concluded that the provision of the fingerprint requested from the customers as a prerequisite for the service cripples the explicit consent and that an unlawful data processing activity has been carried out with the assessment that there is no valid explicit consent declaration in this context. In the separate assessment made for the employees, SDPI stated that, as mentioned in the previous DDPA decision, a proportionate data processing activity cannot be mentioned and that the employees were not informed about the purpose and legal basis for which their biometric data were processed; in this sense, the obligation to inform was not fully fulfilled.
4.CONCLUSION
Based on the point that biometric data is handled within the framework of similar evaluations in the legislation of our country, in the Constitution and in GDPR contacts through international authorities, it can be interpreted that the principle of proportionality, which is one of the universal data protection principles, stands in a delicate balance in biometric data activities such as fingerprints and facial recognition, and that the employer’s authority, which predominates especially in employer-employee relations, prevents free will in companies that are in favour of continuing the application by seeking explicit consent.
Conclusion “fingerprint”, “face recognition”, “palm reading”, “identification of hand geometry” and similar biometric data processing systems cannot be evaluated as compatible with the principle of requesting minimum level of data from the relevant persons in the light of the principle of proportionality in the processing of personal data,
Even in the scenario of a highly diligent process in fulfilling the obligation to inform and in requesting explicit consent, in the case of biometric data, this process will often not result in a lawful biometric data processing activity,
It is evident from all explanations and evaluations that the same results can be achieved by terminating the relevant practices immediately and that less interventionist ways should be used in fundamental rights and freedoms.
