Certain categories of personal data are categorized as “special personal data”, such as information on a person’s religion, beliefs, appearance, biometric and genetic data and criminal records. Special personal data may not be processed without the explicit consent of the data subject and data controllers must take adequate measures as determined by the Board.
The Board adopted a decision relating to the measures to be taken by data controllers when processing special personal data. Accordingly, data controllers should set a separate, systematic, manageable and sustainable policy and procedure with definite rules for the protection of special personal data.
Adequate measures set forth by the Board can be categorized as follows
- Measures in relation to employees (such as providing periodic trainings to employees in relation to the protection of special personal data and regulatory framework, executing confidentiality agreements).
- Measures for protecting special personal data kept, processed or accessed in and electronic environment (such as securing the data by using cryptographic means, keeping cryptographic keys in secure and different mediums, logging all transaction records on special personal data in a secure way).
- Measures for protecting special personal data kept, processed or accessed in a physical environment (such as taking adequate security measures specific to the environment that the data is kept in, for example against theft, fire, flood, preventing unauthorized entries to ensure the physical safety of the environment that the data is kept in).
- Measures for transferring special personal data (such as using a corporate email address with a password or using a registered email address (Kayıtlı Elektronik Posta) if the transfer is to be made via email, using cryptographic means and keeping the cryptographic keys in a separate place if the transfer is to be made via an external hard disc, CD, DVD or by a similar method).
Whilst abiding by the adequate measures set out above, data controllers should also take into account the technical and administrative measures published on the Board’s website and set out in the Personal Data Security Guidelines (Kişisel Veri Güvenliği Rehberi).