1. What is it? Is it in force? Is it practicable?
Regulation on Data Controllers Registry (“Regulation”) was published in the Official Gazette on 30 December 2017 and entered into force as of 1 January 2018.
The Regulation requires a data controller (a real/legal person, who directly or through a third party carries out and has the overall responsibility for personal data processing activities) to register with Turkey’s Data Controllers Registry (“Registry”). According to the Regulation such registration must made before the data controller engages in any personal data processing activities.
Submission for registration shall be made through an online registry system called VERBIS (“VERBIS”).
Turkish Data Protection Authority (“DPA”) may impose a fine up to TRY 1,000,000 (approximately EUR 215,000 as of the date of this note) for not registering with the Registry.
On the other hand, despite the fact that the Regulation has already entered into force, DPA recently announced on its website that that (i) works on VERBIS has not yet finished; (ii) DPA will announce the exemptions to the Regulation; (iii) obligation to register with the Registry has not yet started.
It seems like data protection professionals will need to continue to follow up DPA’s decisions and announcement on this matter.
2. Is this Regulation also relevant to the data controllers based outside of Turkey?
Yes, the Regulation stipulates that a data controller, who is based outside of Turkey, must appoint and authorise a representative in Turkey (“Representative”) and register with the Registry via such Representative.
Such Representative may be either (i) a Turkish legal person or (ii) a Turkish citizen based in Turkey.
Such Representative must be authorised by the relevant data controller to (at least):
(a) receive and accept official communication from DPA on behalf of the data controller;
(b) deliver DPA’s request to the data controller and data controller’s responses to such requests to DPA;
(c) deliver applications of data subjects to the data to data controller and data controller’s responses to the data subjects;
(d) carry out transactions before the Registry on behalf of the data controller.
A certified copy of the authorisation decision of the data controller must be submitted to VERBIS by the Representative in the course of making a submission to VERBIS for registration to the Registry.
3. How will a data controller register with the Registry? What is the information to be submitted?
A data controller will register to the Registry via VERBIS (online registry system). The information required to be submitted to VERBIS is as follows:
(a) Identity and contact information of the data controller, its Representative (if any) and contact person (explained in Section 4(a) below), (any other relevant information to be determined by DPA),
(b) Purposes for processing personal data,
(c) Data categories relating to data subject groups,
(d) Recipients of the personal data,
(e) Personal data, which may be transferred abroad,
(f) Data security measures implemented by the data controller,
(g) The maximum period of data retention (i) stipulated by law or (ii) required by the purpose of processing.
Information set forth in (b), (c), (d), (e) above shall be based on the Data Processing Inventory (as explained in Section 4(b) below) to be prepared by the data controller.
Moreover, data controllers are also obliged to prepare and retain a Personal Data Retention and Destruction Policy (“Policy”). Information set forth in (g) above shall be in line with such Policy.
4. Additional Obligations: (a) appointment of a contact person, (b) preparing a Data Processing Inventory, (c) Preparing Data Retention and Destruction Policy:
(a) Appointment of a contact person: A data controller must appoint a contact person, who will facilitate to communication between the data controller and DPA. Please however note that such person’s responsibility shall be limited to facilitating the communication; hence the decision body of the data controller (e.g. board of directors in a joint stock company) shall remain liable for fulfilling the obligations under Turkish data protection legislation. Please kindly note that role of the contact person, who must be appointed by all data controllers, who are required to register with the Registry, is merely facilitating the communication between the data controller and DPA. On the other hand, the Representative, who must be appointed by data controllers based outside of Turkey, will be able to represent the data controller with respect to transactions relating to the Registry. Finally, neither of these roles corresponds to the role of data protection officer under the General Data Protection Regulation.
(b) Preparing a Data Processing Inventory: Data controllers are obliged to prepare a Data Processing Inventory which must include information on the following (almost the same with the information to be submitted to VERBIS for registration):
(i) Personal data processing activities,
(ii) Purposes of personal data processing,
(iii) Personal data categories,
(iv) Personal data recipients,
(v) Categories of data subjects,
(vi) Maximum periods for purposes of personal data processing activities,
(vii) Personal data, which may be transferred abroad,
(viii) Implemented data security measures.
(c) Preparing Data Retention and Destruction Policy: Details of this obligation are regulated in another regulation titled Regulation on Erasing, Deleting or Anonymising Personal Data (“Deletion Regulation”), which is published in the Official Gazette on 28 October 2017, also entered into force as of 1 January 2018. According to the Deletion Regulation, data controllers, who are obliged to register with the Registry, are also obliged to prepare a Data Retention and Destruction Policy, which must include information on the following:
(i) The purpose of preparing Policy,
(ii) Data recording mediums regulated by the Policy,
(iii) Definitions of the legal and technical terms set forth in the Policy,
(vi) Explanation on the legal, technical or other reasons for retention and destruction of data,
(v) Technical and administrative measures for retaining data safely, preventing data to be processed or reached illegally,
(vi) Technical and administrative measures for technical and administrative measures for legally destroying data,
(vii) Titles, departments, position definition of the persons, who are involved in retention and destruction processes,
(viii) Table showing periods for data retention and destruction,
(ix) Destruction periods,
(x) Updates and amendments to Policy, if any.
5. Our Comment
Although, Turkish Data Protection Law, which was published in the Official Gazette on 7 April 2016 (“Law”), has not clearly determined the territorial scope of the Law, the Regulation implicitly determined the territorial scope of the Law to cover data controllers based outside of Turkey. Hence, currently, persons, who are carrying out data protection activities that involve Turkey; but who are based outside of Turkey, are still obliged to comply with the Law, appoint a Representative and register with the Registry via such Representative.
Publication Date: 16 January 2018