24 Aug Personal Data Protection Authorıty’s Decısıon on Use of Facıal Recognıtıon Systems at the Entrances and Exıts of a Job Sıte dated 04.08.2022 and numbered 2022/797
The Personal Data Protection Board (“”Board””), with its decision dated 04.08.2022 and numbered 2022/797, evaluated the legality of use of biometric data by a company for employee tracking within the scope of the Law on Protection of Personal Data No. 6698 (“Law”).
In the complaint submitted to the Board it was stated that ; (i) facial recognition system is used at the entrances and exits of the factory where the person concerned works at and in this regard a general disclosure text was signed by the person concerned stating that they had their explicit consent, (ii) but this text does not contain the necessary elements of explicit consent, (iii) data controller failed to comply with the condition that the procedures for obligation to inform and obtaining explicit consent shall be fulfilled separately and (iv) that the use of face recognition system is a disproportionate application when there are alternative options to be used at the entrances and exits.
In summary, in the defense of the data controller company it was stated that
- company is operating in paper production and is in the "hazardous" class in terms of occupational health and safety due to their production activities,
- in the facail recognition system used, the system scans the faces of the people and creates a series of numbers using an algorithm and it is not possible to retrace the facial information of the person using these numbers, therefore this system does not keep biometric data. Also that this system is of vital importance for the safety of all workers in preventing untrained personal from entering and exiting the production sites, and that the company’s actions are appropriate and restrained and chooses the path that least interferes with the fundamental rights and freedoms of workers and
- the company fulfilled its obligation to inform to the persons concerned in accordance with the law and obtained explicit consent.
.
In the light of this information, the Board made its own assessments. Although the definition of biometric data, which is among the special categories of personal data, is not included in the Law, yet biometric data defined in the European General Data Protection Regulation (“GDPR”) as “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”. And it is mentioned among the biometric methods in the decision of the 15th Chamber of the Council of State no 2014/4562.
The Board observes that the data controller does not comply with the necessary conditions of explicit consent which are to be disclosed on a specific subject, based on information and with free will. Because within the Explicit Consent Text of the data controller, many purposes are listed and then all personal data processed by the data controller are included in the text. In this context, it looks like that all personal data processing activities carried out by the data controller are carried out primarily and only based on explicit consent of the persons concerned. The Board considers that data processing activities that has a data processing condition listed in the Law should not be included in the Explicit Consent Text, but when the Explicit Consent Text of the data controller is examined; it has been seen that all personal data processing activities are included in this text even though there are valid conditions other than explicit consent.
Finally, the Board has mentioned that even if the personal data processing activity of using facial recognition system at the entrances and exits of the factory is based on explicit consent, in any case these data processing activities should be carried out in accordance with the general principles set forth in Article 4 of the Law. It was underlined that there are alternative ways in this regard and that it is possible to prevent the malicious use of these alternative ways by the employees by warning them and informing them about the possible sanctions.
Based on these evaluations, the Board ruled that;
- imposition of an administrative fine of 500.000 TL since the explicit consent of the data controller regarding the processing of biometric data from the data subject does not contain the elements of"freely given, specific and informed consent" as stated in Article 3 of the Law,,
- the data controller is to be instructed that; in cases where the processing of personal data is dependent on a condition other than explicit consent, the processing activities related to this data should not be included in the Explicit Consent Text, also the Explicit Consent Text should be updated by clearly stating which personal data is associated with which processing purpose in the text, and the data controller is to inform the Board about these instructions within 30 days at the latest,
- in this regard the Board also instructed the destruction of all personal data and verification data obtained through facial recognition systems by the data controller in accordance with the Law, in addition, the data controller should find an alternative to the facial recognition system that does not use biometric data and the data controller should provide documents to the Board proving these instructions were followed within 30 days.
.
In the same complaint made to the Board, it was stated that the data controller company had installed security cameras in the toilet corridors of the workplace. In the defense of the company, the data controller stated that the workers in the paper production workplace put their own safety at risk and smoke in the toilets and to prevent this, they installed cameras that do not work and record any images. The Board decided on the matter to instruct the data controller not to position the cameras in the workplace in a way that would undermine workers' reasonable expectation of privacy.
The Board continues to impose penalties on data controllers who collect biometric data and monitor personnel entry and exit. Even though the Explicit Consent Text in above mentioned decision was not prepared in accordance with the Law, the Board reiterated that even the explicit consent text prepared in accordance with the law would constitute a violation of the general principles. As seen in the decision, data controllers who continue this practice face the risk of administrative fines, as well as the obligation to abandon their current practices and switch to a new tracking system within 30 days.
