TR 
EN 
Decision dated February 27, 2020 numbered 2020/167 (“Decision 2020/167”) on the processing of biometric data for the control of entrance and exit points of a gym by the data controller which provides gym services
Prior to the Decision 2020/167, a data subject filed a complaint stating that special categories of personal data of gym members are being processed through a palm print scanner system for entrance and exits to the facilities.
In Decision 2020/167, the Board stressed that even though ‘biometric data’ is not defined in the Law No. 6698, it means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data according to the General Data Protection Regulation (“GDPR”). The Board also referred to the definition of biometric methods as authentication techniques such as fingerprint, iris or palm print recognition systems which can be automatically verified and made upon measurable physiological and individualistic features as defined by the 15th Council of State in its E. 2014/4562 numbered decision.
The Board underlined that personal data have to be processed for specific, explicit and legitimate purposes and such data have to be relevant with, limited to and proportionate to the purposes for which they are processed. The Board also underlined that the principle of proportionality refers to a fair balance between the purposes and the level of personal data being processed. Therefore, data controllers have to avoid processing personal data which is not necessary for their processing activities. With such perspective, data minimization which is not explicitly defined in the Law No. 6698, yet, mentioned by the Board in its Decision published on August 2, 2018 have to be provided by processing personal which is only proportionate to the purposes. The Board resolved that the use of biometric data for entrance and exits is not in line with the proportionality.
The data controller which provides gym services penalized by the Board on grounds that such processing made upon palm print scanners is considered as processing biometric data, and even though it is claimed that it has a legal basis as explicit consent of the data subject that should be deemed freely given since there was alternative ways offered to members for entrance and exits such as using member cards, is lacking being in line with the general data processing principles, especially principle of proportionality, stipulated under the Article 4 of the Law No. 6698.
Author: Aslı Naz Ünlü
