Turkey has been following global trends in adaptation of biometrics in technology, particularly in identification and security technologies. As of 2018, Turkey has a population of 82.4 million.162 96% of the population own a mobile phone,163 41.9 million of which are smartphone users.164 In big cities like Istanbul and Ankara, security systems such as hand geometry recognition, iris or fingerprint scans are widely used to enter office buildings, new residential complexes and even luxury gyms. Mobile service providers, banks and insurance companies use voice recognition to authorize their customers access to their accounts. Another example of voice recognition is voice command technologies used in recently released cars that Turkey imports from other countries.

However, despite using biometrics in different contexts from touchID of smart phones to voice recognition for paying internet bills, collection, storage, processing and destruction of biometric data was not regulated by a privacy law in Turkey until 2016. The law that entered into force in 2016 originates from the European Union Directive 95/46/EC; however, certain areas still remain untested or are yet to be clarified by lawmakers.

A. Biometrics and data protection regulations

In Turkey, the main regulation governing the protection of personally identifiable information is the Law No. 6698 on the Protection of Personal Data (the “Data Protection Law”) that came into effect on April 7, 2016. Before, it was not clear how biometric data could be stored and processed under Turkish law. The Council of State ruled on several occasions that since privacy is a constitutional right, and storing and using biometric data is a limitation of the right to privacy, such a waiver can only be granted by a duly enacted law. In fact,

the Council of State declared face recognition and fingerprint recognition practices in public buildings unconstitutional due to breach of privacy before the Data Protection Law was introduced. Therefore, the entry into force of the Data Protection Law was a milestone in the regulation of biometrics in Turkey, as it introduced the long-awaited regulatory framework for protection of biometric data.

Under the Turkish data protection regime, personal data may not be processed without the data subject’s explicit consent. Biometrics are defined as sensitive data under the Data Protection Law and are subject to the rules applicable to protection of sensitive personal data. Biometric data may only be processed without the data subject’s explicit consent if it is for the purposes of the protection of public health, the provision of preventive medicine, medical diagnosis, treatment and care services or the financial planning and management of healthcare services. Data that falls within one of these exceptions may only be processed by persons or authorized institutions bound by the duty of confidentiality.

B. Transfer of data rules

As a rule, personal data may not be transferred outside of Turkey without the data owner’s explicit consent. Nevertheless, the law provides an exception for certain types of data when sufficient protection is provided in the foreign country where the data is to be transferred, or the data controllers in Turkey and in the related foreign country sign a written undertaking guaranteeing sufficient protection and the Board has authorizes the transfer. Health data falls within one of these exceptions and can be transferred outside of Turkey if the recipient country provides sufficient safeguards. The Data Protection Agency (“DPA”) has still not published the list of countries where sufficient data protection safeguards are provided. Therefore, in practice, in order to transfer data outside of Turkey, the data controllers in Turkey and in the recipient country should sign a written undertaking to guarantee sufficient safeguards and obtain DPA’s approval. The DPA’s approval will take into consideration the reciprocity of data transfer to Turkey from the country where data is intended to be transferred.

C. Uses of biometrics

(i) New biometric ID cards and drivers’ licenses

In 2016, the laws relating to Civil Registration Services was amended165 to the effect that national ID cards would store biometric data and that this data may not be used for purposes other than identification. Unfortunately, what the biometric data would entail was not defined until 2017 when the same law was amended again. Accordingly, biometric data to be stored on national ID cards was defined as: “Personal data obtained from fingerprint, vein trace and palm taken to ensure the identification and authentication process through electronic systems.”166

Similarly, Turkey also switched to new drivers’ licenses with an electronic chip in 2016, which would hold data relating to the holder’s fingerprints and blood type. The deadline for changing existing drivers’ licenses with a new one is 2021.

(ii) Banking regulations

Turkish Banking Regulation and Supervision Agency has published rules on information systems security.167 Accordingly, the ID verification mechanism applied to customers should be composed of at least two different components independent from each other; data points that are “known” by the customer, “owned” by the customer or “which are a biometric characteristic” of the customer. For the element “known” by the customer, components such as password/changeable password may be used, for the element “owned” by the customer, a changeable password producing device or a changeable password procured by SMS service may be used. The components shall be entirely special to the customer and the ID verification shall not be realized and the services shall not be accessed without presenting those components.

This communiqué was amended and the definition of biometric data was added in 2010 as follows: “Biometrics means the unique human physiological and behavioral characteristics that are measurable and attributable to that person.” This rule is the legal basis for the voice recognition systems used by banks for their customer service hotlines.

(iii) Employment law

Under Turkish labor law, employers are required to keep a file for each employee.168 This file must include all relevant information and documents required by law, in addition to personal information. The employer must submit the file to the appropriate public authorities for inspection whenever asked. However, the employer is obliged to maintain the files in a lawful manner with utmost good faith and not to disclose any information which the employee might have a legitimate interest in keeping confidential.

Employers are also required to ensure that their employees receive data protection training. There should be disciplinary sanctions if the employees act against the data protection policies and procedures of the company.

(iv) Races and games

Another interesting use of biometrics for security reasons was recently introduced in 2018 with an amendment to the Horse Races Regulation. Accordingly, registering a horse for a derby now requires biometric identification of the horse owner or an authorized representative through face recognition, fingerprint recognition, palm veins recognition, etc.

On the other hand, the new electronic card system called “Passolig” which replaced all printed tickets for soccer games does not use any of the biometric recognition systems that are becoming widely used in other countries’ stadiums.

(v) Biometrics regulations and autonomous vehicles

The laws that regulate the highways and the traffic do not yet include provisions relating to AVs or biometrics. Therefore, the general rules applicable to protection of biometrics would apply to biometric data collected within the context of AVs. Due to the unanswered questions on protection of sensitive data (for example, to which countries sensitive data can be sent), and the likelihood of additional legislation in the future, automobile manufacturers as well as importers should be careful to consider privacy requirements to avoid data- breach fines. If, for example, gait and gesture recognition data collected in Turkey is stored in a data center outside of Turkey, data controllers should comply with the data privacy requirements related to cross-border data transfer.

D. Consequences of non-compliance

Data may not be processed without the explicit consent of the data subject, except as explicitly listed under the legislation. Also, data must be collected for a specific and legitimate purpose, be relevant and not disproportionate to the purpose of processing, and be processed in accordance with the general principles set by the law.

In case of an unauthorized destruction of, disclosure of, or access to personal data, the subject may either follow the specific breach notification and complaint procedures under the data protection laws or may resort to other remedies provided under Turkish criminal law as explained below.

Turkish Criminal Code provides criminal sanctions for violations in relation to the use of personal data. Criminal acts regulated under the Turkish Criminal Code directly relating to the use of personal data are as follows:

  1. Violation of privacy (Article 134)
  2. Unlawful recording of personal data (Article 135)
  3. Unlawful access to or disclosure of personal data (Article 136)
  4. Failure to destroy any data subject to destruction as per relevant laws (Article 138)

Unlawful collection of personal data with respect to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, sexual life or health conditions is an aggravating condition.

If the above criminal acts are committed by legal entities, specific security measures will apply, such as revocation of privileges, disgorgement of lost profits, or confiscation of property used for unlawful purposes.

The default jurisdiction rule is that Turkish laws apply to criminal offences committed within the Turkish territory (including its airspace and territorial waters). In addition, under specific circumstances, Turkish law may apply even if the criminal offence has been committed outside of Turkey.

Accordingly, criminal offences committed by a Turkish citizen or a foreigner may be subject to Turkish laws, if they are (i) one of the special category crimes listed under the Turkish Criminal Code (e.g. crimes against the security of the state, constitutional order, national defence, relations with foreign states) or (ii) punishable by imprisonment of at least one year and upon fulfilment of additional conditions.

Offenders of breach of privacy and unlawful collection of personal data laws might be subject to one to three years of imprisonment, while unlawful access to or disclosure of personal data is punishable by two to four years of imprisonment. Commission of these offences by a public official misusing his/her position or by benefiting from convenience offered by a profession or trade, are aggravating conditions.

E. Conclusion

Biometric technologies are increasingly becoming a part of daily life, from completing banking transactions to entering office buildings. Data privacy is a new area of law with some untested grounds and unanswered questions, such as the list of countries that are safe to transfer the data collected in Turkey. It is likely that the regulators will provide more guidelines as the new technologies evolve. In the meantime, car manufacturers should pay attention to the biometric data that they collect and make sure to treat it as sensitive personal data.

162 Turkish Statistical Institute, 2018 Population Statistics

163 "Turkish Heritage.” Technology - Turkish Heritage Organization, www.turkheritage.org/en/issues/technology.

164 "Smartphone Users in Turkey 2017-2023 | Statistic.” Statista, www.statista.com/statistics/467181/forecast-of-smartphone-users-in-turkey/.

165 Law No. 6611 on Amending the Military Service Law and Certain Other Laws dated January 14, 2016 published in the Official Gazette No. 29606 dated January 27, 2016.

166 Law No. 5490 on Civil Registration Services dated April 25, 2006, published in the Official Gazette No. 26153 dated April 29, 2006.

167 Communiqué on Principles to be Considered in Information Systems Management in Banks, published in the Official Gazette No. 26643 dated September 14, 2007.

168 Labor Law No. 4857 dated May 22, 2003 published in the Official Gazette No. 25134 dated June 10, 2003.

Team list