Turkish Personal Data Protection Board ("Board") has published a pivotal decision ("Decision" or "Decision numbered 2023/570") on December 28, 2023, which has a significant importance for crypto asset service providers operating in Turkey ("CASPs").
Broadly summarizing its background, a crypto exchange user complained to the Data Protection Authority ("DPA") that the crypto exchange is demanding disproportionate amount of sensitive personal data such as biometric photo, passport photo and etc to withdraw crypto currencies.
Basic level accounts of the CASP in question enable users to enjoy the deposit and withdraw Turkish Lira, as well as sell/buy or deposit cryptocurrencies within the platform. In order to withdraw cryptocurrencies, users must upgrade their account to an advanced level account by submitting a copy of their identity card (i.e. ID card, passport or driving license) along with the picture of themselves, holding their ID card and a paper which includes a certain date and statement.
DPA stated in its Decision that CASPs were liable to comply with anti-money laundering, counter terror financing and KYC requirements within the scope of the Regulation on Measures regarding the Prevention of Laundering Proceeds of Crime and Financing of Terrorism. In this regard, CASPs are required to conduct identity verification, perform know your customer ("KYC") checks during the onboarding and life cycle of the user, continuously monitor the transactions and user accounts, identify and report suspicious activities to the Turkish Financial Crimes Investigation Board ("FCIB").
Dedicated examination of the user identification requirements during the onboarding process reveals that the available legal framework does not quite respond to the needs in remote identity verification. Moreover, it may potentially lead to a conflict with the data privacy regulations and resulting in catch-22 situations.
As businesses exclusively operating in an electronic environment, the majority of CASPs process biometric data through face recognitions, liveness checks and biometric image processing and recognition applications. Plus, special categories of personal data, including religious information and blood type information are found on Turkish old ID cards and old/new driving licenses, which are in use. Special categories of personal data are subject to stringent protection and processing regime under the Law on the Protection of Personal Data ("LPPD").
Notably, biometric data and religious information can be processed only if the user consents, or if such processing is expressed by laws as well as it complies with the general data privacy principles (i.e. data minimisation). Even though the CASPs conduct remote identity verification (including biometric data processing) in order to comply with their legal obligations, due to the lack of a clear law regulating such processing, certain challenges from a data privacy perspective mainly arise around the validity of the user consent, proportionality and necessity of such processing, and the possibility that users may withdraw their consent.
CASP's user onboarding flows are always of particular interest to business development, compliance, data privacy, legal, and product teams as they focus on achieving the best possible outcome in the interplay between anti-money laundering requirements, data privacy principles and maximum user acquisition.
The Decision did not assess the lawfulness of processing special categories of personal data on ID documents, nor whether the CASP in question applied biometric data processing during the account upgrade.
Instead, the Board categorically interpreted that the processing activity during the identity verification process for an account upgrade is expressly stated by laws and it serves a public interest. Hence the relevant practice of the crypto exchange is upheld by the Decision.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
