The decision of the Board within Personal Data Protection Authority (PDPA), titled “Sufficient Measures to be Taken by Controller in Processing Personal Data of Special Nature” dated 31.01.2018 and numbered 2018/10 is published in Official Gazette dated 7 March 2018. (the “Decision”)
As stated in the Decision, measures indicated in the Decision shall be implemented in addition to the technical and administrative measures mentioned in the Guidebook of the Security of Personal Data published on the website of PDPA.
According to the Decision, controllers processing personal data of special nature shall determine a separate policy and procedure.
It is required to provide regular specific training to the employees involved in the processing of personal data of special nature; to sign non-disclosure agreements with these employees; to immediately abolish the powers of those employees whose powers are being removed, , to clearly determine the authority and term of authority of those who are entitled to access to the data, to implement authorization controls periodically.
Encrypted corporate e-mail address or registered e-mail (KEP) account shall be used while transferring the personal data of special nature via e-mail.
If the environment where the personal data of special nature is processed, stored, and/or accessed is physical, sufficient measures shall be taken according to the features of the environment, and unauthorized entrance and exit shall be prevented.
If the environment where the personal data of special nature is processed, stored, and/or accessed is electronic, cryptographic methods and minimum two-stage authentication systems shall be used and the other security measures provided by the decision shall be taken.