The Personal Data Protection Board (“Board”) published the decision (“the Decision”) on “adequate security measures that must be taken by data controllers in regard to processing of special categories of personal data” in the Official Gazette on March 7, 2018.
What Does the Decision Say?
The decision is based on Article 6(4) of the Law No. 6698 on the Protection of Personal Data (the “Data Protection Law”), which states, “data controllers must take adequate security measures determined by the Board when processing special categories of personal data.”
Special categories of personal data are exhaustively provided in Article 6 of the Data Protection Law as “personal data relating to race, ethnicities, political, philosophical, religious, sectarian views or other beliefs, clothes and appearances, association, foundation and union affiliations, health conditions, sexual life, convictions and safety precautions, and biometric and genetic data.”
According to the Decision, to take adequate security measures, data controllers must
• issue a separate policy and procedure that is systematic, prescriptive, manageable and sustainable in regard to the security of special categories of personal data,
• take administrative and technical security measures for employees that work in processes related to processing of special categories of personal data (providing trainings, executing confidentiality agreements, implementing access controls, etc.),
• take security measures such as to retain with cryptographic methods, run periodic software security tests and other measures as listed in the Decision for special categories of personal data retained in electronic environments,
• take physical security measures for the special categories of personal data kept in physical environments,
• comply with the rules provided in the Decision during the transfer of the special categories of personal data (transfer through corporate e-mail addresses with passcodes, setting up VPNs between servers, etc.).
Administrative fines ranging from TRY 15,000 to TRY 1,000,000 can be imposed on data controllers in case of non-compliance with the data security obligations. In addition, a large number of complaints pending before the Board comprise data security breach claims.
Companies that process an extensive amount of special categories of personal data must take the security measures provided in the Decision in addition to the security measures explained in the Guidelines on Personal Data Security.