This Legal Alert aims at providing you with an overview on recent Decision No. 2018/10 of Personal Data Protection Board (“Board”) re. “measures required to be taken by data controllers in processing of special categories of personal data (“SCPD”)” which was published in the Official Gazette numbered 30353 and dated March 7, 2018 (“New Decision”).

Please note that this Legal Alert is intended to be general information purposes only. No statement herein contains any opinion or professional legal advice.

I. GENERAL OVERVIEW

Before elaborating on the provisions of the New Decision, we would like to briefly touch upon general provision on conditions for processing of SCPD as set out under Article 6 of the Law on Personal Data Protection numbered 6698 and dated March 24, 2016 (the “Law”). According to Article 6 of the Law, data of a data subject relating to race, ethnicity, political opinion, philosophical standing, religion, religious sect or other beliefs, appearance and clothing, membership to an association, charitable organization or union, health, sexual life, sentence to punishment and security measures, and his/her biometric and genetic data are defined as SCPD. As general rule, it is prohibited to process SCPD without the explicit consent of the data subject. However, SCPD except those relating to health and sexual life can be processed without the explicit consent of the data subject, if permitted by the laws. On the other hand, personal data relating to health and sexual life can be processed without the explicit consent of the data subject, only for the purposes of protection of public health; operation of preventive medicine, medical diagnosis, treatment and care services; planning and management of health services and its financing by persons under confidentiality obligation or authorized institutions and organizations. Finally, as per the last paragraph of Article 6 of the Law, in the processing of SCPD, sufficient measures to be determined by the Board are required to be taken by the data controllers, which constitutes the basis for the New Decision.

II. MEASURES TO BE TAKEN FOR PROCESSING OF SCPD

In the New Decision which has entered into force as of March 7, 2018, the Board has determined the measures to be taken by data controllers for processing of SCPD as follows:

1. A systematic, administrable and sustainable separate policy and procedure rules of which are clearly laid down must be determined for security of SCPD.
2. For the employees having involvement in the processing of SCPD:
   1. Regular trainings must be provided on security of SCPD;
   2. Confidentiality agreements must be concluded;
   3. Scope and term must be clearly defined for authorities of the users with the authority to access the data;
   4. Periodic authority controls must be carried out;
   5. In the events of change of duty or leaving the job, the concerned employee’s authorities must be removed and return of inventory allocated to the employee must be ensured.
3. If SCPD are processed, preserved and/or accessed in the electronic environment:
   1. Data must be preserved by cryptographic methods;
   2. Cryptographic keys must be kept secure and in different environments;
   3. Activity records of any activities conducted on the data must be securely logged.
   4. Security updates of data environment must be consistently followed, necessary security tests must be regularly carried out, and test records must be recorded;
   5. If the data are accessed through a software user authorization must be made for such software, security tests must be regularly carried out concerning such software and test results must be recorded;
   6. If remote access is provided for the data, at least two-factor authentication system must be provided.
4. If SCPD are accessed through and/or stored in physical environment:
   1. It must be made sure that adequate level of security measures (e.g. for the cases of electrical leakage, fire, flood, theft etc.) have been taken in accordance with qualification of environment in which SCPD are stored;
   2. Physical security must be ensured for such environments and unauthorized entrance and exit must be prevented.
5. If SCPD will be transferred:
   1. For transfer through e-mail, data must be transferred through corporate e-mail address with encryption or by using Registered Electronic Mail (KEP) account;
   2. For transfer through environments such as flash memory, CD, DVD, data must be encrypted by cryptographic methods and cryptographic key must be kept in another environment;
   3. For the transfer between servers in different physical environments, data transfer must be carried out by setting up VPN or by sFTP method between servers;
   4. For the transfer on paper, necessary measure must be taken against risks such as being stolen, lost or seen by unauthorized persons and document must be sent in the format of “classified documents”.