Turkey: Biometric Data Usage For Security And Shift Checks Of Employees And In The Medical Sector

 I. OVERVIEW

Personal data protection was a controversial topic in Turkey for many years, mainly due to the European Union ascension procedures. Although Turkey signed and is therefore a party to the European Union Treaty No. 108 Convention for the Protection of Individuals with Regards to Automatic Processing of Personal Data (Treaty 108) back in 1981, the subsequent local regulations were never implemented and therefore the Treaty 108 never entered into force. To remedy this, Turkey adopted a new law regarding personal data protection, the Law on the Protection of Personal Data No. 6698, which was published at the Legislative Journal dated April 7, 2016 and No. 29677 (the Law), therefore effectively implementing the Treaty 108 domestically.

This Law is seen as a much needed improvement in personal data protection, and sets forth new liabilities to data holders, supervisors and processors to keep such personal data private at all times. However, the Law has somewhat vague definitions when it comes to defining what constitutes personal data, which can also be found in the Treaty 108. These vague definitions allow for a flexible definition of what constitutes personal data, which allows for different sets of data to be considered as personal data without the need for legislation amendments. However, it may also cause ambiguity and confusion regarding certain data sets, such as biometric data. Accordingly, in order to determine the rules regarding the usage of biometric data, the general principles and definition of personal data should be examined first.

   II. PERSONAL DATA DEFINITION AND PROCESSING METHODS

Article 2 of the Law defines personal data as "all information relating to an identified or identifiable natural person", whereas Article 6 sets forth that "personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data are deemed to be personal data of special nature".

Article 2 also defines processing of personal data as "any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means". Accordingly, even the collection, recording and/or storage of personal data shall be deemed as data processing and shall therefore be subject to the strict rules of procedures stipulated by the Law. Therefore, any action set forth in Article 2 regarding any personal data shall be subject to the explicit consent of the data owner as per Article 5. Of course, there are certain exceptions to this rule. According to Article 5, a personal data may be processed without the explicit consent of the data owner if:

a) it is clearly provided for by the laws,
b) it is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving his/her consent or whose consent is not deemed legally valid,
c) processing of personal data belonging to the parties of a contract, is required provided that it is directly related to the conclusion or fulfilment of that contract,
d) it is mandatory for the controller to be able to perform his legal obligations,
e) the data concerned is made available to the public by the data subject himself,
f) data processing is mandatory for the establishment, exercise or protection of any right,
g) it is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

   III. OBLIGATIONS OF THE DATA CONTROLLER AND DATA OWNER RIGHTS

• Obligations of the Data Controller

According to Article 10, during the data collection and/or processing, the data controller or persons authorized by the data controller, are required to inform the data owner regarding (a) the identity of the controller and all its representatives, (b) the purpose of data processing, (c) to whom and for what purposes the processed data may be transferred and (d) the method and legal reason of collection of personal data.

Furthermore, the data controllers are also required to take all necessary measures, technical and administrative, to prevent any unlawful access and/or processing of such data. If the data is being handled/processed by authorized third parties, then the data controller shall be jointly liable along with the third party for taking these preventive measures and ensuring the safety of the collected data.

• Rights of the Data Owner

Apart from the obligations imposed upon the data controllers, data owners also have a fair amount of rights under the Law. According to Article 11, the data owners have the right to request from the data controller information regarding whether his/her personal data is being processed or otherwise stored and collected, if so then to what end and to what extent the personal data is being processed, information regarding the third parties that have access to such information, if any, to request the rectification of the incomplete or inaccurate information, if any, to request the erasure and/or destruction of the relevant personal data and to request compensation for damages incurred due to unlawful processing of personal data.

The two important rights for data owners here are the right to request the rectification of the incomplete or inaccurate information and the right to claim compensation for damages incurred due to unlawful processing of data. This effectively gives power to the data owner to delete and destroy his/her personal data that is being processed or was processed in the past, and also gives the right to claim compensation if the data controllers breach their obligations arising from the law.

   IV. DEFINITION OF BIOMETRIC DATA

Until recently the legislation did not provide a separate definition for biometric data or a clear and extensive definition of what constitutes personal data. Instead, personal data was defined as "all information relating to an identified or identifiable natural person". The only other classification regarding personal data is the definition of "personal data of special nature" set forth in Article 6 (as noted above). Although this article 6 is a almost a direct translation of Article 6 of the Treaty 108, there is one crucial difference. Back in 1981, when the Treaty 108 was first implemented, the term biometric data did not exist, and therefore this term was not included in the original text of Treaty 108 and biometric data was not classified as personal data of special nature. Article 6 of the Law, however, does note that "biometric and genetic data" shall be deemed as personal data of special nature.

An interesting fact to note is the Court of Appeal's precedent regarding the biometric data (issued prior to the implementation of the Law). According to the precedent set by the Court of Appeals, "fingerprints and biological samples such as DNA, hair, saliva and fingernail samples" shall be deemed as personal data. Furthermore, the Constitutional Court, by referring to the relevant articles of the Treaty 108, ruled that "data obtained via biometric methods" shall be considered as personal data, however, such data cannot be considered as "extremely sensitive personal data such as political opinions, religious beliefs, health, sexual life or criminal convictions as noted in Article 6 of the Treaty 108". It is therefore unclear how this Court precedent should be review in light of the new changes made in the Law, although it is expected the Court of Appeals to amend this precedent in accordance with the new Law.

   V. BIOMETRIC DATA PROCESSING

With the recent technological advancements and biometric technologies becoming cheaper, demand and access to such technologies have increased drastically. Biometric scanners are increasingly used in security (especially in tech companies where confidential information are of high value and in big companies, holdings that have large number of employees) and for identification purposes (mostly in medical sector, in hospitals, clinics etc.).

The most important issue in using biometric data for security and/or identification purposes is obtaining the explicit consent of the data owner. If consent is needed from every data owner, then how can companies use security systems that require biometric data (such as safe/confidential rooms accessible by fingerprint scanners) if one or more of their employees refuse to provide it, or can companies require their employees to use biometric scanners to keep track of their shifts, or can the medical sector demand biometric data before providing medical assistance in order to verify the patients identity?

These are all controversial issues due to the recent development in technology that allows for such systems to be implemented at a much cheaper price. Furthermore, biometric scanners and security systems are arguably more secure than simple passwords, which can be cracked, or more secure ID systems than a person's signature, which can be duplicated. Unfortunately, the Law and subsequent regulations do not provide clear answers to these issues. Therefore, the high courts (mainly the Court of Appeals, the Council of State and the Constitutional Court) have made different rulings for different situations on a case by case basis, depending on the principle of proportionality.

• Biometric Data in Medical Sector for Patient ID Purposes

According to Article 67 of the Social Security and General Health Insurance Law No. 5510, state hospitals in Turkey may require their patients to provide their biometric data as a means for verifying the patient's identification (the article states that the patients are required to either prove their identity via biometric means or with an ID card, driver's license, marriage certificate or a passport, in order to benefit from health services). Accordingly, some state hospitals started using biometric checks to verify the applicant patient's identity and this caused some controversy, as it was seen as a violation of the right to privacy.

Finally, in 2014, the Council of State submitted an appeal to the Constitutional Court for annulment of the relevant provisions in this Article 67 claiming that it violated Articles 2, 13 and 20 of the Constitution. The Constitutional Court rejected the application and ruled that biometric data can be requested by state hospitals to verify patient's identity and this did not violate the right to privacy set forth in the Constitution.  The reasoning given by the Court in this decision was that, since the ID verification via biometric means is more secure against unauthorized usage, as such data cannot be faked, it is much more effective at combatting corruption in public offices. In other words, the Court ruled that preventing the abuse of the healthcare system is of paramount importance and when compared to the violation of the right to privacy, this provision does not violate the principle of proportionality. Therefore, the Court ruled that this provision did not violate the constitution as there was proportionality between the rights being protected (the integrity of the healthcare system) and those that were being violated (the right to privacy).

• Biometric Data for Employee Shift Controls

This is another issue, especially concerning big companies and holdings that have large numbers of employees. These companies use different systems in order to control and record the working hours of their employees, such as signature sheets or card systems. However, another system that can be used is a fingerprint scanning system where employees stamp their time of arrival and departure by scanning their fingerprints.

One state hospital in Turkey started to use such a shift control application that kept track of the employees shift hours via fingerprint scanners. Subsequently, a lawsuit was filed against this mandatory fingerprint scanning application, which was finally decided upon by the Council of State. The Council of State ruled in this decision that, fingerprints of a person should be deemed as an inseparable entity of that person's private life and therefore is under the protection of right to privacy as per Article 20 of the Constitution. Furthermore, the Court ruled that there are other and equally competent means of tracking employee shifts and the benefit to be gained from such tracking application, even in the public sector, is negligible when compared to the violation of right to privacy. Therefore, the Council of State ruled that such applications violate the Constitution and employees cannot be forced to use fingerprint scanning systems for shift tracking purposes even in the public sector.

• Biometric Data for Secure/Confidential Rooms

Another trend in business, especially in tech companies, is the implementation of secure rooms to safely store confidential information. This is especially required by foreign companies from their Turkish counterparts in cases where highly classified and confidential information is being exchanged between the parties. These secure rooms used to be protected by systems using simple passwords, whereas currently, the companies require secure rooms that are only accessible via biometric data, such as fingerprints, retinal scanners or face ID (as it is considered safer than passwords).

However, secure rooms accessible by biometric data once again brings up the issue of consent. Since the companies need one or more of their employees to have access to these secure rooms, they need to obtain such employees' biometric data in order to properly implement a secure room. Although there are no specific high court rulings regarding this issue yet, the Council of States' decision regarding biometric data usage for employee shift controls (noted above) should serve as a good basis. Applying that decision to this case, it is clear that the benefit to be gained from implementing a secure room (in private companies) will be negligible when compared to the violation of the right of privacy. Therefore, companies cannot demand biometric data from their employees for the implementation of secure rooms and cannot terminate employment contracts based on an employee's rejection of providing such data. However, it is still possible to obtain such data from consenting employees (although such consent should be carefully worded to avoid violating any provisions of the Law).

   VI. CONCLUSION

Regulations in Turkey regarding personal data protection are still quite new and therefore, there are no established court precedents so far. The currently available court rulings are generally dated before the implementation of the Law and although some of them do reference the Treaty 108, we will still need to wait a few more years for the high courts to establish a precedent specific to the Law itself, and its secondary regulations. It is therefore extremely important for companies to have comprehensive personal data protection texts (informative texts and consent forms) in order to avoid any possible future liability that may be imposed upon by the court precedents.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.