Decision Of The Turkish Data Protection Authority On The Processing Of Biometric Signature Without Explicit Consent

In its decision dated 27 August 2020 (No: 2020/649, the Turkish Data Protection Authority (DPA) decided that biometric signatures are not covered by the provisions of the Turkish Code of Obligations (TCO) regulating signatures, and that biometric signatures therefore cannot be processed without the explicit consent of the data subject in accordance with Law No: 6698 on the Protection of Personal Data. (“the Law”)

Full text of the decision (in Turkish) is available here.

What are Biometric Signatures?

Article 15 of the TCO which regulates signatures refers to handwritten wet-ink signature and secure electronic signature.

Wet-ink signature is the classic signature signed by hand. Its static and geometric features can be evaluated, based on the visual appearance of the signature. Secure electronic signature, on the other hand, can only be signed using the secure electronic signature creation device used by the owner of the signature. It allows identification of the signatory through the qualified electronic certificate as well as any subsequent changes made to the signed electronic data.

Although biometric signature shares certain features of these two signature types, it differs from both by virtue of its nature. Biometric signature is created by the signatory by signing on a special tablet/pad using their biometric data. It is attached to the signed document in a manner which prevents it from being unbound from it. Accordingly, when analyzing biometric signatures, factors such as the dynamic properties of the biometric signature (how it is formed); the amount of pressure applied, the writing angle, the speed and acceleration of the pen, the formation of letters, the direction of the signature, etc. can be evaluated.

Provisions of the Law on Biometric Data

According to Article 6 of the Law; biometric data is considered “sensitive personal data”. As a rule, sensitive personal data can only be processed with the explicit consent of the data subject. However, sensitive personal data except those concerning health and sexual life may be processed without seeking explicit consent of the data subject, in cases where their processing is provided for by applicable laws.

Evaluation of the DPA

In a request for written opinion submitted to it, the DPA was asked whether biometric signatures can be processed without explicit consent in light of the exception regarding cases where processing is provided for in applicable laws, in light of Articles 14 and 15 of the TCO relating to signatures and requirements as to form in contracts.

Taking into account both the relevant provisions of the TCO and the “Electronic Identification, Authentication and Trust Services Regulation” (eIDAS), which is the European Union regulation standard for electronic identification and trust services for electronic transactions in the European Digital Single Market, the DPA concluded that handwritten wet-ink signature and biometric signature are different concepts.

The DPA considered that provisions of the TCO relating to signatures cover the classic handwritten signature and electronic signature, that interpreting these regulations in a way that includes the biometric signature would lead to too broad an interpretation of the exception on data processing based on a provision of law and that this would go against the principle of proportionality.

Accordingly, the DPA decided that biometric signatures can only be processed with the explicit consent of the data subject, that data subjects should also be informed with regards the nature and purpose of processing in accordance with Article 10 of the Law, and that the guide on “Adequate Measures To Be Taken When Processing Sensitive Personal Data” published by the DPA should be adhered to.

Yiğit Kaynar, Esq.