On March 07, 2018, Turkish Data Protection Authority’s ("DPA") Decision w.no.2018/10 dated 31/01/2018 was published in the Official Gazette. The decision, which covers adequate measures that must be taken for processing sensitive personal data, will have significant impact on all data controllers that process sensitive personal data collected from Turkey.
Sensitive personal data is described in Article 6 of the Data Protection Law (“DPL”) as “Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data…” Further, in the fourth paragraph of the same article, it is stated that sensitive personal data shall be processed by taking adequate precautions determined by the DPA.
Are You Processing Sensitive Personal Data?
At first glance, many individuals/companies may think that they do not process any of the data types described above however we observe that sensitive personal data is frequently collected and processed by companies. To give a few examples; collection of health reports by companies’ human resources departments in the process of hiring an employee, collection of health data and background for health insurance purposes by human resources departments and use of fingerprints, retina and other bio-metric data for security systems/doors are among the most common examples. If any of the above-mentioned processing activities are carried out by the company you work for, then the company you work for is obliged to take the measures specified in the DPA’s decision.
What are the consequences of not taking these precautions?
As mentioned above, Article 6 of the DPL requires that the measures, which will be given below, must be taken. We believe that data processing activities carried out without taking such measures in this framework will be considered as unlawful processing, even when such activity is based on explicit consent of the data subject. As a result of this legal evaluation, we evaluate that the activity in question may be subject to imprisonment between 18 months to 54 months according to Article 135 of the Turkish Criminal Code. In addition to that, since processing sensitive data without taking adequate measures can be regarded as “failure to comply with the decisions of the DPA”, we evaluate that an administrative fine of 25,000 to 1,000,000 Turkish Lira (USD 6.500 – 2.600.000) can be applied.
In light of the above, we advise data controllers to take all adequate measures as stated in the decision given by the DPA. You can find the adequate measures published by the DPA below;
1 – Data controllers shall establish a manageable and sustainable policy and procedure with clearly defined rules specific for the security of sensitive personal data,
2- Precautions specific for employees that process sensitive personal data;
a) Data controllers shall regularly train employees about the laws and related regulations and issues as to security of sensitive personal data,
b) Data controllers shall sign confidentiality agreements with their employees,
c) Data controllers shall clearly identify the scope and duration of user access of employees who has access to sensitive personal data,
d) Data controllers shall regularly perform user access-authorization checks,
e) Data controllers shall immediately revoke the user access of employees who resign or change position within the company and shall request all relevant inventory that was entrusted to him/,
3- If sensitive personal data is processed in electronic media, data controller shall;
a) Store the data using cryptographic methods,
b) Store cryptographic keys in secure and different environments,
c) Securely log transaction records of all transactions performed on the data,
d) Continuously maintain security updates for the environments in which the data is processed, regularly conduct necessary security tests and record test results,
e) Apply user access restriction, conduct security tests of these software regularly and record test results if the data is accessed via a software,
f) Apply two-factor authentication if remote access to the data is required,
4- If sensitive personal data is being processed in a physical environment, data controllers shall;
a) Ensure that adequate security precautions are taken according to the nature of the environment in which personal data is stored (such as precautions for stray voltage, fire, flood, theft, etc.,)
b) Ensure the physical security of these environments to prevent unauthorized entry and exit.
5- Transfer of sensitive personal data;
a) If the data needs to be transferred via e-mail, it must be encrypted using the corporate e-mail address or using the Registered Electronic Mail (KEP)
b) If it needs to be transferred via media such as portable memory, CD, DVD such media shall be encryption by cryptographic methods and cryptographic keys shall be stored in different locations,
c) If sensitive personal data needs to be transferred between servers in different physical environments, a VPN shall be established or sFTP method shall be used,
d) If sensitive personal data needs to be transferred physically on printed paper, necessary precautions against risks such as theft, loss or unauthorized viewing of documents shall be taken and documents shall be sent in "confidentiality grade" format.
6- In addition to the measures mentioned above, the DPA’s Technical and Administrative Measures at the DPA’s website[1] shall also be applied to ensure the appropriate level of security
[1] Turkish Version of the Technical and Administrative Measures - http://www.kvkk.gov.tr/yayinlar/veri_guvenligi_rehberi.pdf