08 Sep Brıef on Personal Data Protectıon Board’s Decısıon Regardıng Hand Geometry
The Personal Data Protection Board (“Board“), with each new decision ruled, provides companies with a cumulatively growing guideline on the compliance of various transactions carried out in companies’ daily operations within the scope of the Law No. 6698 on the Protection of Personal Data (“KVKK“). In this framework, the Board investigates KVKK compliance at all stages, from security cameras to building entry procedures. At the same time, the parameters of special categories of personal data are drawn with the decisions made.
In the decision of the Board dated 07.07.2022 and numbered 2022/662, it has been evaluated whether; (i) the information of "hand geometry" constitutes a special category of personal data and (ii) declaration of the data controller is sufficient for notifying the applicant regarding the deletion of the personal data in the digital environment upon request.
In the complaint submitted to the Board; it was stated that the hand geometry data of the person was scanned to enter the service area, this data was processed without explicit consent, and the complainant applied to the company after the termination of his contract but found the response given by the data controller insufficient.
The data controller made the following claims in their defense; (i) the concept of hand geometry is different from the fingerprint or palm print, (ii) unlike the fingerprint or palm print, it does not have a personal feature, and (iii) the hand geometry may be the same in two other people, while the finger or palm print is a special category of personal data since they are unique personal features. Therefore, they claimed that hand geometry should be considered as only a personal data.
The Board examined the working principles and technical details of the device conducting the hand geometry scanning.
Referring to the 2014/4562 E. numbered decision of the 15th Chamber of the Council of State, the Board highlights that hand geometry is considered as one of the biometric methods in the mentioned decision. The Board also included the S. and Marper v. the United Kingdom decision of the European Court of Human Rights (“ECHR“) dated 4 December 2008, and the Constitutional Court's decision dated 10/03/2022 with the application number 2018/11988 in its decision; emphasizing that the aforementioned authorities have also made a conclusion for biometric data to be considered as special category of personal data.
In light of this information, the Board ruled that;
- hand geometry data is a special category of personal data,
- thus, the data controller who process the hand geometry data has processed said data illegally and
- as a consequence an administrative fine amounting to (100.000 TRY) shall be imposed.
While imposing the administrative fine, the Board has taken into account the economic situation of the data controller and the fact that many people are affected by the violation.
Regarding the request for deletion of personal data held by the data controller, it has been decided that it will not be possible to send a physical document displaying a proof with respect to deletion of digital data and therefore declaration of the data controller is sufficient.
This decision is noteworthy since the Board included GDPR regulations in its evaluations for the first time. The relatively newly established Board supports its decisions and guides data controllers and legal representatives by making use of the detailed regulations and broad case law in the European Union.
This decision is consistent with the other violation decisions given by the Board and the significance attributed to the protection of special category of personal data continues. It should not be forgotten that; the risk undertaken by data controllers regarding the processing and storage of special category of personal data increases with the number of persons whose data is processed and the amount of data. In the light of the aforementioned decision, many daily transactions, which are seen as usual by companies and whose legal audit is ignored, can actually be evaluated within the scope of KVKK and therefore contain a legal risk. In this context, it is seen once again that KVKK auditing and compliance studies are more important than previously thought.
