Biometric Data Processing Under Turkish Personal Data Protection Law

Introduction

Biometric data processing has become one of the most sensitive areas of Turkish personal data protection law. Fingerprint access systems, facial recognition technologies, palm vein readers, iris scanning, voice recognition, biometric identity verification, digital onboarding tools, employee attendance systems, high-security access controls, e-signature verification, fintech identity checks, healthcare identification systems, and artificial intelligence-based biometric authentication are now widely used by businesses and public institutions.

However, biometric data is not an ordinary category of personal data. Under Law No. 6698 on the Protection of Personal Data, commonly known as KVKK, biometric data is expressly classified as a special category of personal data. This means that biometric data can be processed only under strict legal conditions and with adequate safeguards determined by the Turkish Personal Data Protection Board. The law also requires all personal data processing to comply with general principles such as lawfulness, fairness, purpose limitation, proportionality, data minimization, and storage limitation.

For companies operating in Turkey, biometric data compliance is not a simple matter of obtaining a signature from users or employees. Even explicit consent may not be sufficient if the biometric system is unnecessary, disproportionate, excessive, or replaceable by less intrusive alternatives. The Turkish Personal Data Protection Board has repeatedly emphasized that biometric data processing must be assessed in light of concrete necessity, proportionality, alternative methods, transparency, and security obligations.

What Is Biometric Data?

Biometric data generally refers to personal data resulting from technical processing relating to a person’s physical, physiological, or behavioral characteristics that allow or confirm unique identification. Turkish legislation does not provide a broad standalone definition of biometric data in KVKK itself, but the Turkish Personal Data Protection Authority’s biometric data guidance refers to the GDPR definition as a comprehensive reference point.

Common examples of biometric data include fingerprints, palm prints, palm vein patterns, facial recognition templates, iris scans, retina scans, voice recognition templates, hand geometry, gait patterns, typing rhythm, signature dynamics, and other characteristics used to identify or verify a person. A photograph alone may not always be biometric data, but if it is technically processed to uniquely identify or authenticate a person through facial recognition, it may become biometric data.

The key issue is not only the biological nature of the information. The legal risk arises when that information is technically processed for identification or authentication. For example, a simple employee photograph on an ID card may be ordinary personal data, while a facial template generated from that photograph for automated access control may qualify as biometric data.

Biometric Data as a Special Category of Personal Data

Article 6 of KVKK expressly includes biometric data among special categories of personal data. Special categories also include data relating to race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, association, foundation or trade union membership, health, sexual life, criminal convictions and security measures, and genetic data.

The classification of biometric data as a special category has important consequences. First, processing biometric data is prohibited as a rule unless one of the legal conditions under Article 6 exists. Second, the data controller must implement adequate measures determined by the Board. Third, biometric data processing must still comply with the general principles under Article 4, including being relevant, limited, and proportionate to the purpose of processing.

Biometric data deserves strict protection because it is unique, permanent, and difficult to replace. A password can be changed. A card can be cancelled. A fingerprint, face template, iris pattern, or palm vein structure cannot be changed in the same practical way. If biometric templates are compromised, the harm may be long-term and difficult to remedy.

Legal Grounds for Processing Biometric Data

Following the 2024 amendments to Article 6, special categories of personal data may be processed only under specific legal conditions. These include explicit consent, processing expressly provided by laws, necessity for protection of life or physical integrity, processing of data made public by the data subject in line with the intention of disclosure, necessity for the establishment, exercise or protection of a right, certain public health and healthcare-related purposes, employment and social security-related legal obligations, and limited processing by certain non-profit organizations within their fields of activity.

For biometric data, the most commonly discussed legal bases are explicit consent and express legal provision. However, both require careful analysis. If processing is based on law, the legal rule must clearly authorize biometric processing. General employer management rights, general security needs, or broad operational convenience will usually not be enough.

If processing is based on explicit consent, the consent must be freely given, specific, and informed. Yet explicit consent alone does not automatically make biometric processing lawful. The processing must also comply with Article 4 principles. Therefore, even a signed consent form may fail if the biometric system is disproportionate or unnecessary.

Explicit Consent and Biometric Data

Explicit consent under KVKK must be specific, informed, and freely given. In biometric data processing, consent should explain which biometric data will be processed, for what purpose, by whom, how it will be stored, whether it will be transferred, how long it will be retained, what alternatives are available, and how consent may be withdrawn.

The Authority’s biometric guidance emphasizes that the person must know what they are consenting to and the consequences of that consent. It also warns that where parties are not in an equal position, such as the employee-employer relationship, whether consent is freely given must be evaluated carefully.

This is especially important in workplaces. If an employee is effectively forced to use a fingerprint or face recognition system to enter the workplace, and no real alternative is provided, the employee’s consent may not be considered freely given. If refusal causes disadvantage, pressure, or exclusion from normal work processes, the consent mechanism may be legally weak.

Proportionality: The Central Test in Biometric Processing

Proportionality is the most important concept in biometric data compliance. Article 4 requires personal data to be relevant, limited, and proportionate to the purposes for which it is processed. This principle applies even where explicit consent exists or another legal basis is claimed.

The Authority’s biometric guidance states that biometric data processing must not touch the essence of fundamental rights and freedoms, must be suitable for the purpose, must be necessary, must be proportionate, and must be used only where the same purpose cannot be achieved by less intrusive means. The guidance also explains that biometric data should not be processed if the purpose can be achieved through another method.

This means that a company must ask: Is biometric processing genuinely necessary? Is there a less intrusive alternative? Can the purpose be achieved with an ID card, password, QR code, RFID card, SMS verification, mobile authentication, security guard check, turnstile card, or ordinary camera system? If yes, biometric processing may be disproportionate.

Board Decisions on Biometric Access Control

The Personal Data Protection Board’s decisions on sports club and workplace biometric systems provide important guidance. In the sports club decisions numbered 2019/81 and 2019/165, the Board concluded that entrance-exit control and internal security could be achieved through alternatives other than biometric processing. The Board instructed data controllers to stop biometric entry-exit processing and to destroy hand, finger, and palm print data previously processed and stored.

The workplace face recognition decision numbered 2022/797 is also highly significant. The Board evaluated the use of facial recognition for employee entry-exit tracking and noted that even if biometric processing is based on explicit consent, the processing must still comply with general principles. It emphasized that the employer could achieve its purposes through less intrusive alternatives such as magnetic cards, RFID tags, SMS-based verification, warnings against misuse, and disciplinary measures against abuse.

These decisions show that Turkish practice is strict. Biometric data should not be used merely because it is efficient, modern, or convenient. The data controller must show concrete necessity and prove that less intrusive alternatives are insufficient.

Biometric Data in the Workplace

Workplace biometric systems are common in Turkey, especially for attendance tracking, access control, cafeteria access, production facility entry, secure room access, and shift management. However, employment relationships create a power imbalance. Employees may feel compelled to accept biometric processing because they depend on their employer.

The Board’s 2022/797 decision is particularly relevant for employers. It found that broad consent language covering many processing purposes may not satisfy the requirements of specific and informed consent. It also emphasized that where other legal bases exist, unnecessary inclusion of those activities in an explicit consent text may be misleading and may amount to abuse of rights.

For ordinary attendance tracking, biometric processing is often difficult to justify if card systems, passwords, mobile codes, electronic badges, or other methods can achieve the same objective. However, there may be exceptional high-security environments, such as nuclear facilities, restricted laboratories, military-sensitive areas, or critical infrastructure zones, where biometric verification may be more defensible due to the level of risk. The Authority’s biometric guidance itself contrasts ordinary sports club access with high-security environments requiring stronger identity verification.

Biometric Data in High-Security Areas

Biometric processing may be more legally defensible where the purpose involves high-level security and no less intrusive method provides adequate protection. Examples may include access to critical infrastructure, data centers, restricted research laboratories, bank vault areas, secure manufacturing zones, defense-related facilities, or areas where unauthorized access could create serious public safety, financial, or legal risks.

Even in these cases, the data controller should document why biometric processing is necessary, why the selected biometric method was chosen, why alternatives are insufficient, how the system minimizes data, how templates are protected, and how long the data will be retained.

High security does not mean unlimited biometric processing. Access should be limited to necessary persons, biometric data should be encrypted, raw images should not be retained unless strictly required, and alternative methods should be available for persons who cannot use biometric systems.

Face Recognition Technologies

Face recognition is increasingly used in workplaces, retail stores, airports, banks, mobile applications, education, hospitality, and public spaces. From a KVKK perspective, facial recognition may involve biometric data when a person’s facial features are technically processed for unique identification or verification.

A simple security camera recording is generally processed as visual data, but a camera system that identifies individuals through facial templates may process biometric data. This distinction is crucial. Data controllers should not label facial recognition as ordinary camera surveillance.

The Board’s 2022/797 decision shows that facial recognition for workplace entry-exit tracking may be unlawful where consent is not valid, the privacy notice is insufficient, the processing lacks a clear legal basis, and less intrusive alternatives are available.

Fingerprint and Palm Print Systems

Fingerprint and palm print systems are among the most common biometric technologies. They may be used in offices, gyms, production facilities, schools, residential complexes, and service areas. Under Turkish law, these systems process special category personal data when used for identification or authentication.

The Board’s sports club decisions are directly relevant to palm and fingerprint-based entrance systems. The Board required biometric entry-exit processing to stop where the same purpose could be achieved by alternative means and instructed deletion, destruction, or anonymization of previously processed biometric data.

Organizations using fingerprint or palm print systems should therefore conduct an immediate compliance review. They should assess legal basis, necessity, alternatives, consent validity, privacy notices, retention periods, encryption, vendor contracts, and deletion mechanisms.

Biometric Data and Artificial Intelligence

Artificial intelligence can increase the risks of biometric data processing. AI-based face recognition, emotion analysis, voice recognition, gait recognition, behavioral biometrics, deepfake detection, and liveness detection systems may process biometric characteristics at scale. These technologies may also generate biometric templates or infer sensitive information from physical or behavioral traits.

Under KVKK, the use of AI does not reduce legal obligations. On the contrary, AI-based biometric processing usually increases the need for transparency, proportionality, security, auditability, and human oversight. If AI-based biometric systems produce results that affect individuals, data subject rights under Article 11 may also become relevant, including the right to object to a result against the person arising from analysis exclusively through automated systems.

Businesses using biometric AI should document model purpose, data categories, training data sources, accuracy rates, false positive risks, false negative risks, bias risks, human review procedures, and retention rules.

Obligation to Inform Data Subjects

Before biometric data is processed, data subjects must be informed under Article 10 of KVKK. The notice must include the identity of the data controller, the purpose of processing, recipients and transfer purposes, method and legal basis of collection, and data subject rights under Article 11.

For biometric processing, a generic privacy notice is not enough. The notice should clearly state that biometric data will be processed, identify the biometric method, explain the purpose, legal basis, retention period, security measures, transfer recipients, and alternatives. If the system is used in a workplace, the notice should be separate from general HR documents and must be understandable to employees.

The 2022/797 decision demonstrates the importance of specific transparency. The Board found that the employer’s privacy notice did not include information about biometric data processing through facial recognition systems, and that the notice did not clearly match each personal data category with the relevant processing purpose and legal basis.

Retention and Destruction of Biometric Data

Biometric data should not be kept indefinitely. Article 7 of KVKK requires personal data to be erased, destroyed, or anonymized when the reasons requiring processing no longer exist.

The biometric guidance emphasizes that the maximum processing period must be determined and that all variants of the biometric feature, including raw and derived records, must be processed only for the required time. The controller should explain retention reasons in its personal data retention and destruction policy.

This is highly important because biometric systems often store both raw images and derived templates. The safer approach is to avoid storing raw biometric images unless strictly necessary. Templates should be encrypted, stored separately where possible, and deleted when the person no longer needs access or when the purpose ends.

Technical Security Measures for Biometric Data

The Authority’s biometric guidance provides detailed technical expectations. It states that biometric data stored in cloud systems should be protected through cryptographic methods, derived biometric data should be stored in a way that does not allow recovery of the original biometric feature, biometric templates should be encrypted using adequate cryptographic methods, and encryption and key management policies should be clearly defined.

The guidance also recommends testing systems with synthetic data before installation and after changes, limiting biometric data used for testing, deleting test data at the end of testing, using systems that warn administrators or delete and report data in case of unauthorized access, using certified equipment and licensed up-to-date software, tracking the lifetime of biometric devices, monitoring and limiting user actions on biometric software, and periodically testing hardware and software.

These technical measures are not optional best practices. They are part of the expected compliance framework for high-risk special category data.

Organizational Security Measures

The biometric guidance also sets out organizational measures. These include providing an alternative system without restrictions or additional cost for persons who cannot use the biometric solution or who do not consent, preparing an action plan for biometric authentication failures, defining and documenting access mechanisms for authorized persons, providing special training to personnel involved in biometric data processing, establishing a formal vulnerability reporting procedure, and creating an emergency procedure for data breaches.

In practice, a biometric compliance program should include internal policies, access authorization matrices, confidentiality undertakings, training records, vendor agreements, audit logs, deletion records, breach response procedures, and periodic compliance reviews.

Biometric Data and Cross-Border Transfers

Biometric systems may involve cross-border transfers where foreign cloud providers, biometric software vendors, AI service providers, global HR systems, international security platforms, or foreign support teams access or store biometric data.

Article 9 of KVKK was amended in 2024. Under the amended rule, personal data may be transferred abroad if one of the processing conditions under Articles 5 or 6 exists and there is an adequacy decision for the relevant country, sector, or international organization. In the absence of an adequacy decision, transfer may be possible through appropriate safeguards such as binding corporate rules, standard contracts, or written commitments approved by the Board. Standard contracts must be notified to the Authority within five business days after signature.

Because biometric data is a special category of personal data, international transfers require extra caution. Transfer documents should specifically address the biometric data category, transfer purpose, recipient, security measures, onward transfers, retention period, and additional safeguards for special category data.

Data Breach Notification

Biometric data breaches are particularly serious. If biometric templates, face recognition data, fingerprint data, or palm vein records are obtained by unauthorized persons, the risk may be long-lasting. A compromised password can be reset, but biometric characteristics cannot be easily replaced.

Article 12 of KVKK requires data controllers to take all necessary technical and organizational measures to prevent unlawful processing and access. It also requires the controller to notify the data subject and the Board within the shortest time if processed data are obtained by others through unlawful means.

A biometric data breach response plan should include immediate system isolation, forensic analysis, vendor notification, Board notification assessment, data subject communication, access credential replacement where possible, template revocation if supported, risk mitigation, and documented remediation.

Practical Compliance Checklist

A company planning to process biometric data in Turkey should complete the following steps:

1. Identify the exact biometric data category, such as fingerprint, face template, iris scan, palm vein, or voice recognition.
2. Define the processing purpose clearly.
3. Determine whether biometric processing is genuinely necessary.
4. Evaluate less intrusive alternatives.
5. Select the least intrusive biometric method if biometric processing is unavoidable.
6. Determine the legal basis under Article 6.
7. Prepare a specific privacy notice under Article 10.
8. Obtain explicit consent only where it is a valid and necessary legal basis.
9. Provide a real alternative without penalty or additional cost where consent is used.
10. Document necessity and proportionality assessments.
11. Avoid collecting genetic data or raw biometric samples unless strictly necessary.
12. Define retention periods for raw and derived biometric data.
13. Encrypt biometric templates and manage encryption keys securely.
14. Restrict access to biometric systems.
15. Train employees who manage biometric systems.
16. Review vendor contracts and processor obligations.
17. Map domestic and cross-border transfers.
18. Prepare data breach response procedures.
19. Conduct periodic audits and technical tests.
20. Delete, destroy, or anonymize biometric data when the purpose ends.

Common Mistakes in Biometric Data Processing

One common mistake is assuming that consent solves every problem. In Turkish law, consent does not cure disproportionate processing. Even with consent, biometric processing may be unlawful if less intrusive alternatives are available.

Another mistake is using biometric systems for ordinary workplace attendance tracking. The Board has made clear that where magnetic cards, RFID tags, SMS verification, or other methods can achieve the same purpose, biometric processing may violate proportionality.

A third mistake is failing to provide a genuine alternative. If a person cannot use or does not consent to biometric authentication, the controller should provide another method without restriction or additional cost.

A fourth mistake is storing raw biometric images unnecessarily. Controllers should prefer secure templates and avoid retaining raw biometric data unless strictly required.

A fifth mistake is using foreign biometric vendors without Article 9 analysis. Cloud-based biometric systems may trigger cross-border transfer obligations.

A sixth mistake is failing to delete biometric data after the employment, membership, or access relationship ends.

Legal Consequences of Non-Compliance

Non-compliance with biometric data rules may lead to Board investigations, administrative fines, orders to stop processing, orders to delete or destroy data, data subject complaints, civil compensation claims, employment disputes, contractual liability, and reputational harm. Article 12 also imposes data security obligations, while Article 11 gives data subjects rights to obtain information, request correction, request erasure or destruction, object to certain automated results, and claim compensation for unlawful processing.

Board decisions show that regulators may require biometric processing to stop and previously collected biometric data to be destroyed where processing is found disproportionate or unlawful.

Conclusion

Biometric data processing under Turkish Personal Data Protection Law requires a strict, documented, and risk-based compliance approach. Because biometric data is a special category of personal data, it may be processed only under Article 6 conditions and with adequate measures determined by the Board. However, legal basis alone is not enough. The processing must also comply with Article 4 principles, especially necessity and proportionality.

The key compliance question is not whether biometric technology is useful. The key question is whether it is legally necessary and proportionate for the specific purpose. If the same objective can be achieved through less intrusive alternatives, biometric processing may be unlawful even where consent has been obtained.

Companies using fingerprint, face recognition, palm print, iris scan, voice recognition, or other biometric technologies in Turkey should conduct a detailed legal and technical assessment. They should prepare specific privacy notices, avoid broad consent language, provide alternatives, minimize data, encrypt templates, restrict access, train personnel, review vendors, control cross-border transfers, and define retention and destruction periods.

A strong biometric data compliance program protects individuals from irreversible privacy risks and protects organizations from regulatory sanctions, litigation, reputational harm, and operational disruption. In Turkey, biometric data processing should be treated as an exceptional and high-risk activity—not as an ordinary convenience tool.