The Board Of Personal Data Protection has published a decision in Official Gazette dated 07.03.2018 regarding sufficient measures for processing special categories of personal data.

Special Categories of Personal Data

According to article 6 of Turkish Data Protection Law, special categories of personal data (alias Special Personal Data) is;

"ARTICLE 6 – (1) Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometrics and genetics are special categories of personal data."

Sufficient Measures For Processing Special Categories Of Personal Data

  1. Data controller should establish and publish a separate procedure and policy aimed at protection of special categories of personal data. This procedure and policy must be systematic, clearly ruled, sustainable and manageable.
  2. Measures oriented employees who process special categories of personal data;

    1. Data controller should provide trainings regarding Turkish Data Protection Law, secondary legislation and protection of special categories of personal data.
    2. Data controller should sign non-disclosure agreement.
    3. Data controller should describe authorised users' scope of authority and period of authorisation. 
    4. Data controller should control authorisations periodically.
    5. Data controller should cancel authorisation of employees who leave the job or change the job position.
  3. If special categories of personal data is processed or accessed via electronic environment/online;

    1. Data should be preserved with cryptographic methods.
    2. Cryptographic keys should be preserved in secure and separate environment.
    3. All activities on data should be logged in secure.
    4. Security updates about data environment should be followed, security test should be made periodically and test data should be recorded.
    5. If data controller accesses to data via a software, related software users should be authorised, security tests of software should be made periodically and test data should be recorded.
    6. If remote access is required to process the data, two-tier identity validation must be provided.
  4. If special categories of personal data is processed or accessed via hard copy;

    1. Data controller should ensure that sufficient measures for related environment is provided.
    2. Physical security of the environment should be provided and unauthorised inputs-outputs should be prevented.
  5. When data controller wants to transfer the special categories of personal data;

    1. If data will transfer via e-mail, it should be made by encoded corporate mail address or registered e-mail address(KEP)
    2. If data will transfer via flash memory, CD, DVD etc. İt must be encoded with cryptographic methods and cryptographic key should be preserved in separate environment.
    3. If data will transfer from a server to another server, it should be transfer by using VPN or sFTP method.
    4. If data will transfer in hard copy, data controller should take measures to prevent hard copy files from getting lost or being stolen. Also these files should transfer in "Classified Files" format.

Please see below link for the full text of the decision(only available in Turkish);

https://www.lexpera.com.tr/resmi-gazete/metin/RG801Y2018N30353S201810

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.